Beware the quadruple whammy: Fighting the many faces of ransomware

Worries about ransomware are becoming more prevalent—and for good reason. In a recent survey, the Cyber Security Agency of Singapore (CSA) found that 85 percent of citizens and permanent residents were moderately or extremely concerned about a ransomware attack, while 40 percent considered it somewhat or extremely likely that they would encounter one. 

Modern ransomware attacks typically follow the same modus operandi: attackers encrypt the target organisation’s files and demand payment in exchange for access restoration. Some organisations choose not to pay ransom, especially if they maintain their own file backups. But in late 2019, the Maze ransomware family pioneered the double extortion technique, defined by the threat to publicly release victims’ data—a demand that was far more difficult to ignore.

Yet, even paying ransom does not guarantee that attackers will keep their word. As ransomware operators expand their target range and become more sophisticated in their methods, many Asia Pacific organisations are racing against the clock to establish robust cyber resilience best practices and avoid falling prey to them.

Ransomware’s evolutionary journey 

Let’s start by understanding what we are up against. Ransomware extortion has developed over time with four distinct phases. Its earliest form is single extortion—deploying ransomware to encrypt and bar access to files, then demanding payment in exchange for decryption. 

Double extortion marks a turning point in ransomware’s ongoing evolution, where malicious actors go beyond encryption to exfiltrate and threaten to publicise an organisation’s data. Even if the victim manages to restore lost data, the threat of having sensitive information publicised lingers. Ransomware family DarkSide used double extortion in the recent high-profile attack on Colonial Pipeline, a major fuel supplier in the United States. 

First emerging in the latter half of 2020, triple extortion compounds the encryption and data exposure threats with additional Distributed Denial-of-Service (DDoS) attacks that could overwhelm a server or a network with traffic and further disrupt operations.

And finally, with quadruple extortion, ransomware operators reach out directly to a victim’s customers and stakeholders, adding more pressure to the victim. DarkSide—one of the first to employ quadruple extortion—launched DDoS attacks and directly contacted the victim’s customers through designated call centres.

This evolution of ransomware techniques demonstrates how quickly the cyber threat landscape is transforming, and APAC organisations cannot afford to be complacent. 

A bigger playing field

Apart from upgrading their tactics, ransomware operators are also taking advantage of the COVID-19 pandemic to target remote workforces. In tandem with the post-pandemic rise in global ransomware incidents last year, CSA received reports of almost 75 percent more cases in Singapore from January to October 2020 compared to the whole of 2019, while the top three industries targeted are manufacturing, retail and healthcare.

While some of these are perpetrated by less skilled cybercriminals who rely on the Ransomware-as-a-Service (RaaS) model, businesses need to keep an eye out for highly sophisticated and organised malicious actors.

The Clop ransomware family first carried out double extortion in March 2020, and its extortion strategies have become progressively devastating. A group using Clop ransomware recently adopted a new modus operandi, searching for and exfiltrating data from top managers’ workstations that could be used to threaten, embarrass, or put pressure on them—using a new variant of quadruple extortion to target the same people who would most likely be authorising the ransom demand.

Clop has also changed tactics numerous times, from sending spear-phishing emails to maximise the chances of infection, to exploiting zero-day vulnerabilities in a legacy file transfer appliance product—the mechanism behind the data breach in February this year that affected the personal data of some 129,000 Singtel customers.

As new ransomware trends gain traction, the need to be vigilant against them has never been more acute. 

Standing up to malicious actors

To protect IT systems from malicious actors and promote business resilience, APAC organisations must adopt a proactive approach and work with their cybersecurity partners to review and assess cybersecurity risk, posture and toolkits’ health on an ongoing basis, and ensure that these meet the requisite standards.

First, regularly audit assets, data, event and incident logs to weed out unauthorised devices and software. Be deliberate in managing and reviewing hardware and software configurations—especially endpoint protection—and grant administrative access only when essential to an employee’s role. 

Second, conduct patching and update software and applications for the most up-to-date protection. Time is of the essence, as seen in the case of IT solutions provider Kaseya as they fell prey to ransomware attackers while fixing a number of zero-day vulnerabilities. Use predictive machine learning tools and behavioural monitoring features for the system’s multiple layers, and leverage multifactor authentication, data protection, backup, and recovery measures. 

Third, learn to spot early signs of an attack such as the presence of suspicious activities in the system. Examine and block malicious emails using sandbox analysis and enable advanced detection technologies powered by AI and machine learning. Furthermore, organisations should carry out regular security skills training and assessment, and conduct penetration tests to gauge the efficacy of their security setups.Remember: even if an organisation can eventually recover its data or financial resources, the loss of trust among customers and partners is much harder to remedy. A robust framework of cybersecurity practices may require significant resources and long-haul efforts to transform workplace culture and practices, but this is our best bet for stopping pernicious ransomware threats at the door.