Double Extortion: Ransomware’s New Normal Combining Encryption with Data Theft

‘Double extortion’ is the term given to an evolving ransomware tactic: first steal confidential data, then encrypt the victim’s files. If the victim doesn’t pay the ransom, expose the data.

The first published example of a double extortion attack, according to Check Point Research, came with the attack against Allied Universal in November 2019. When the firm declined to pay a massive ransom of 300 bitcoins (more than $2 million at today’s rates), the attackers hiked the ransom demand by 50%, and threatened to use stolen data together with stolen email and domain name certificates in a spam campaign impersonating Allied Universal.

To demonstrate their capability, the hackers published some of the stolen data, including contracts, medical records, and encryption certificates. In a later post on a Russian underground forum, they posted a link to “10% of data we have exfiltrated.” They added, “We give them 2 weeks until we send other 90% of data to wikileaks. Other 90% is a quite interesting part… Time is ticking.”

The ransomware used was Maze. Brian Krebs highlighted the Maze gang’s use of double extortion in December 2019, while Proofpoint appeared to give the same gang its own internal tracking name, TA2101, in November 2019. At the time, Proofpoint commented, “Between October 16 and November 12, 2019, Proofpoint researchers observed the actor sending malicious email messages to organizations in Germany, Italy, and the United States, targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing, and healthcare.”

Krebs reported that the Maze gang developed a website listing its victims who had declined to pay the ransom. Check Point demonstrates that this website is actively maintained. While it was originally listing eight victims who apparently “do not wish to cooperate with us”, there are now many more. One victim was BetUS, a major online gambling site registered in The Netherlands (WHOIS says the registrar is http://_domains_gesloten_cw; ‘gesloten’ is Dutch for ‘closed’). The website is owned and operated by Firepower Trading Ltd situated in Nicosia. There is no apparent admission of a security incident on the BetUS website — but TA2101 follows through with its threats.

According to reports in March 2020, the gang published proof of stolen data comprising almost 1 gigabyte that includes minutes of board meetings, bank forms and some passport scans of company executives. Interestingly, it doesn’t appear as if any personal customer data has yet been leaked — which could be because there was none stolen, or BetUS subsequently paid the ransom. Without clarification from BetUS (or the hackers) we will never know. SecurityWeek has asked for clarification from BetUS, and will append any reply to this article.

“Maze,” say the Check Point researchers, “has since published the details of dozens of companies, law firms, medical service providers and insurance companies who have not given in to their demands. It is estimated that many other companies avoided publication of their sensitive data by paying the ransom demanded.”

The biggest concern for enterprises is that the ‘double extortion’ approach seems to be spreading. One of the first hacking groups using the same tactic is the Sodinokibi/REvil group, which compromised Travelex  at the end of December 2019. Travelex had to shut down operations in early January, but was running before the end of the month — suggesting that it paid the ransom. In fact, The Wall Street Journal reported (paywalled) last week that Travelex paid a ransom of approximately $2.3 million in bitcoins. 

The REvil group also has a website, which it calls ‘Happy Blog’, where it publishes a list of its victims. “The National Eating Disorders Association was one of the last in the list of victim organizations,” says Check Point, “but has since been deleted from the REvil’s blog.”

Additional attackers that have joined the trend, says Check Point, “include Clop ransomware, Nemty, DopplelPaymer Mexican Oil Company Pemex Hit by Ransomware and more. Information published on these sites was soon found to be offered for sale by the ransomware group itself or by other criminals who collected the data from the dumpsites.”

On March 18, 2020, the Maze group released an official press release. Referring to the current COVID-19 pandemic, it announced, “We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus.” But this is not a complete amnesty— TA2101 is continuing to attack other organizations, while other hackers are still attacking healthcare institutions.

It may be that the evolution of double extortion is the natural evolution of ransomware — first from consumer attacks to targeted business attacks, and now with the added double jeopardy of data blackmail. This may be the new normal for ransomware.

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft 

Related: New Snake Ransomware Targets ICS Processes 

Related: Durham City, County Recovering After Ransomware Attack 

Related: Legal Services Firm Epiq Hit by Ransomware