The rise of quadruple extortion ransomware and how to protect against it

We’ve all heard about ransomware, but are you aware of the latest tactics that cybercriminals use to pressure you to pay?

Gone are the days when an encryption attack simply locked up your files, followed by a ransom note demanding a cryptocurrency payment to get the decryption key to unlock your files. Cybercriminals now commonly use additional tactics to ratchet up the pressure on you — ensuring that even if you can recover from the encryption attack, you will still have powerful incentives to pay the ransom anyway.

This article will look at what makes these new tactics so dangerous, and how you can protect your business against them.

Ransomware gangs have evolved attacks to become more sophisticated and more damaging to organizations. The terms double, triple, and quadruple extortion are used to describe the evolving tactics used by cybercriminals to extort money from their victims — even if they can successfully restore their critical data and uptime from the initial encryption attack. The first three of these tactics are increasingly common, with many known case studies of their actual use.

• Single extortion ransomware, or a traditional ransomware attack, encrypts the victim's files and then demands a ransom to decrypt them. Victims typically cannot defeat the strong encryption used to lock up their files without paying a ransom in return for the decryption key. This tactic has been weakened recently by the effective use of data protection — in the form of well-implemented and -tested backup technology and processes — to recover encrypted systems and data. Further, increased cooperation between law enforcement, tech vendors and the user community to share decryption keys uncovered in the response to earlier attacks enables some targets to decrypt their files without paying the ransom.

• Double extortion ransomware attacks are an increasingly common tactic developed in response to the growing success of restoral from backups to recover encrypted data and resume business operations without paying a ransom. This tactic relies on the attackers’ ability to stealthily exfiltrate a large amount of sensitive data from the target before triggering the encryption attack. The ransom demand now includes a threat to publicly release this data if the victim fails to pay up. This can be extremely effective, as disclosure of the data can expose the target to a variety of adverse consequences, including: loss of customer and partner trust; damage to a publicly traded company’s stock price; exposure of competitively sensitive information like unannounced product, sales and marketing plans; and exposure of embarrassing information like sensitive emails. Businesses in regulated industries may also face compliance sanctions, e.g., the European Union’s GDPR expects any business with E.U.-resident customers to protect the privacy and accessibility of customer data. The HIPAA compliance standard imposes fines on U.S.-based healthcare providers that fail to protect the privacy of patient data.

• Triple extortion ransomware attacks take the double extortion threat to another level: the attacker contacts the victims' customers and partners, notifying them that some of their sensitive data held by the target is also under threat of public disclosure. The attackers suggest that these customers and partners should contact the target and encourage it to pay the ransom, lest they suffer similar consequences from their own data’s public disclosure.

To recap the use of these tactics in sequence:

• Ransomware operators achieve initial access by compromising the target’s external defenses to install encryption malware, most commonly via a phishing email in which an unsuspecting user clicks on a malicious link or attachment. This malware quietly encrypts the target system’s files before presenting a demand for a ransom payment in cryptocurrency (or less commonly, another hard-to-trace payment vehicle like retail gift cards) in return for the decryption key.

• More sophisticated versions of ransomware may propagate over the initial target’s local network, encrypting other desktops, laptops and servers. Many versions seek out and encrypt backup archives, shadow copies and other resources that might be used to restore encrypted files.

• Prior to triggering the encryption attack, ransomware operators quietly exfiltrate a large amount of sensitive data, typically copying it externally to a cloud server they control. This may include living-off-the-land (LoL) tactics, in which the attacker commandeers an IT tool normally used for beneficial purposes (e.g., backup software) to aid the exfiltration in a way that is harder to detect. They then proceed with the encryption phase of the attack.

• The ransom note, presented once the target files are locked up, now includes the threat to publicly disclose the victim’s sensitive data if the ransom is not paid.

• After conducting the phases of the double extortion attack, the ransomware operator contacts the target's customer and partners, notifying them that it has sensitive data related to them that would also be disclosed if the victim fails to pay the ransom. These “collateral victims” are encouraged to contact the victimized organization, to urge it to pay the ransom and protect their information.

• In addition to the tactics described in any of the above three attacks, the ransom note includes a threat to bring down the target’s public-facing servers with a distributed denial-of-service (DDoS) attack if it fails to pay the ransom.

Single and double extortion tactics are the most commonly seen at present, with triple extortion growing in use. Quadruple extortion remains the rarest of these tactics, though recent cybersecurity analysis show its growth in popularity as attackers seek new ways to ensure and speed up ransom payments.

The rise of new ransomware extortion tactics increases the urgency on businesses to shore up both the defenses to prevent ransomware attacks from succeeding, as well as their ability to recover from an attack, if one manages to elude those defenses.

It is worth noting that ransomware gangsters are highly opportunistic, targeting businesses of every size, in every geography, and in every industry. Certain industries are favored targets. for example, healthcare institutions face life-and-death consequences if critical systems go down; financial institutions are subject to multiple industry and government regulatory regimes; educational institutions suffer from tight budgets and students careless of cybersecurity issues; and technology companies face greater reputational harm if they are exposed as victims of cybercrime. But successful attacks occur in every sector, and small- and medium-sized businesses account for 75% of successful attacks, as these organizations often lack the resources and skills to mount effective cybersecurity defenses and recovery operations.

Recent research and news reports underscore the increasing frequency, sophistication and scale of ransomware attacks:

• Ransomware-adjacent DDoS attacks increased by 29% in the fourth quarter of 2021, according to a Cloudflare report published in January.

• Bandwidth.com, a global cloud communications company, reported losses of between $9 and $12 million due to a DDoS attack. This was just one of many attacks against companies, some of which included multi-million-dollar ransom demands.

• The Register reported that U.K.-based VoIP Unlimited was hit with a "colossal ransom demand" after a DDoS attack, while Canadian provider VOIP.MS was hit with a $4.2 million DDoS ransom. It took almost two weeks for the company to restore customer service.

• The BlackCat ransomware group employs quadruple extortion techniques to pressure victims into paying ransoms. Recently, the ransomware group increased its stakes to $2.5 million.

Since not all ransomware attacks are reported, it is difficult to estimate the average ransomware payment. The cost varies greatly based on the size and nature of the organization targeted, the amount of data encrypted and the ransom demand. But the aggregate total currently amounts to tens of billions of dollars per year.

To mitigate the risk of falling victim to ransomware attacks of every kind, business must invest in both cybersecurity defenses and data protection measures to ensure they can not only repel attacks, but recover quickly from attacks that do manage to succeed.

A comprehensive defense-in-depth plan to minimize the risk of data loss and downtime from ransomware attacks includes the following steps:

• Regularly back up your data. Make sure to store your backups in a secure location that is not connected to your network. This will ensure that you can restore your data even if your network is compromised.

• Implement security measures such as email filtering, spam blocking, multifactor authentication and universal decryption keys to reduce the chances of malicious emails reaching employees' inboxes.

• Make sure to keep all your software — including operating systems, web browsers and applications — up to date with the latest security patches. This will prevent attackers from exploiting known vulnerabilities to gain access to your systems.

• Use antivirus and anti-malware software to detect and prevent ransomware attacks. Keep your antivirus and anti-malware software up to date with the latest virus definitions.

• Implement network security measures such as firewalls, intrusion detection and prevention systems, and network segmentation to prevent attackers from gaining access to your systems.

• Deploy anti-DDoS measures to reduce the risk of attacks on public-facing servers.

• Educate employees about the risks of ransomware attacks and how to avoid them. Teach them how to recognize phishing emails and suspicious links and report any suspected attacks.

• Have an incident response plan in place in case of a ransomware attack. This should include steps to isolate the infected systems, disconnect from the network and notify law enforcement. Having a plan for restoring your data from backups is also important.

Acronis Cyber Protect is an integrated cyber protection solution that helps defend businesses against all types of ransomware. It uses a combination of machine learning and artificial intelligence to detect and block ransomware attacks while providing recovery options in the event of an attack.

Acronis Cyber Protect detects and blocks ransomware attacks using a multilayered approach. Heuristics and signature-based detection identify known ransomware threats, while behavioral analysis and machine learning technologies can detect even never-before-seen threats. The solution uses artificial intelligence to monitor behavior changes that could indicate an impending attack.

In the event of an attack, Acronis Cyber Protect provides several options for recovery. For example, it can restore individual files or folders that have been encrypted and entire systems. It also offers the ability to roll back changes made by the ransomware so that you can return to a previous version of your data before the attack occurred.

Ready to improve your security against modern cyberthreats while streamlining efficiency of management? Book your free spot in our next engineer-led demo of Acronis Cyber Protect.