Until recent times, ransomware was a relatively straightforward matter. An attacker would breach an organisation and encrypt critical data. Without a reliable or recent backup, that organisation would have few options to recover their data – other than to pay the ransom. This payment would be made WITHOUT any guarantee that the data could be recovered.
As organisations have become more diligent about backing up important data, they may be less likely to pay the ransom. As a result, cybercriminals have increased the capability of the ransomware used and revised their tactics to persuade the victim to pay the ransom.
Attackers may vow to publicly release the stolen data, try to delete any backups and even deploy distributed denial-of-service (DDoS) attacks to convince victims to give in to the ransom demands, says Sophos (1).
- Vowing to publicly release the data. A tactic employed by attackers is the double-extortion (2) ploy. In this case, the criminal vows to publish or auction the data online unless the ransom is paid. They are pressuring the victim to pay the ransom rather than risk embarrassment and possible legal repercussions if the data is leaked.
- Contacting employees directly. Attackers may contact senior employees to warn them that their own personal data will be leaked if the ransom isn’t paid. Thereby placing further pressure on an organisation.
- Contacting partners, customers and the media. In some cases, the attackers may threaten to contact business partners, customers and the media in an attempt to urge the victimised organisation to pay.
- Silencing victims. Many criminals will warn their victims to keep silent and not contact law enforcement officials or other parties to seek their aid in resolving the incident. They may threaten other actions if these demands are not followed.
- Recruiting insiders. Some criminals will try to convince employees or insiders to help them carry out a ransomware attack in return for money. The hope is that they’ll find some disgruntled or dishonest employee who will willingly exploit their own employer.
- Resetting passwords. After the initial attack, many ransomware operations will set up a new domain admin account then change the passwords for all other admin accounts. Doing this increases the difficulty in accessing the systems and restoring from a previous backup.
- Launching phishing (3) campaigns. In one incident noted by Sophos, attackers sent phishing emails to employees to trick them into running malware that compromised their email accounts and provided full access to their emails. The attackers then used those email accounts to contact the IT, legal, and security teams to warn of more attacks if the ransom wasn’t paid.
- Deleting backups. As ransomware attacks the victims network, they will delete or encrypt any backups found. In some cases they may also uninstall the backup software through social engineering (4) methods. In one case described by Sophos, the attackers used a compromised admin account to contact the host of the victim’s online backups and told them to delete the offsite backups.
- Sending physical copies of the ransom note. Some criminals will print copies of the ransom note sent to connected printers and point of sale terminals.
- Launching Distributed Denial-of-Service attacks. Several ransomware gangs have turned to DDoS attacks to try to convince stubborn victims to pay the ransom. These attacks can not only overwhelm the organisation’s web servers and distract IT and security staff with additional problems.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (5)
Continued in Part2 where we discuss the steps you can take to defend yourself against ransomware. CLICK HERE TO READ PART 2