Preparing defences for triple extortion cyber-attacks

Ransomware attacks dramatically increased during the pandemic – the switch to hybrid working offered up lots of new opportunities to gain access to systems. If that wasn’t worrying enough, the days of simply locking someone’s data and then demanding a ransom in return for the encryption key are long gone.

Attackers have in the main replaced that model with a more damaging two-step approach that simultaneously paralyses a target’s system while surreptitiously extracting its data. This double extortion model contains the added threat of commercially valuable or confidential information being leaked online, which in turn offers up opportunities for enhanced ransom demands.

Cyber-criminals are nothing if not inventive; they’re always looking for the next development. As a result, things are about to get even more complicated: triple extortion has arrived and will pose a major challenge for businesses during 2022.

Targeting victims’ customers

This takes the two-step approach and adds in ransom demands directed at a victim’s customers and supply chain. The results can be catastrophic as cases so far have demonstrated.

For example, when a European healthcare provider was attacked in 2020, not only did the attackers demand ransom from the organisation, they also extorted the company’s patients, demanding payments to prevent the publication of their personal healthcare data. 

Triple extortion threats can be so effective for cyber-criminals because they target the groups that would be most impacted by a data breach and create additional pressure on the victim from its key stakeholders. The higher the number of people is that have something to lose, the higher the likelihood that someone succumbs to the pressure of ransom demands.

Building business resilience

The lesson that this, and attacks like it, teaches is that it is essential to build resilience into the heart of any data security implementation. Clearly, if systems are regularly backed-up it is relatively simple to get up and running if an attacker has encrypted your records. The gold standard for this approach is to regularly take immutable copies of your data.

However, that approach, although highly valuable, won’t stop an attack from happening and data from being leaked. Fortunately, there are tools that can monitor for and detect suspicious activity within an organisation, which look for signs of malware and ransomware operations. Much of this can be automated, which is essential as companies need to act quickly to prevent encryption and exfiltration taking place.

A lot of ransomware gets onto computers because users, employees and customers inadvertently download it. Despite awareness of the risks of clicking on unfamiliar links, people still do it, as today’s phishing attempts are well disguised.

Cyber-criminals are, however, increasingly targeting their ransomware – the old scatter-gun approach has been abandoned in favour a more focused methodology. The types of attacks are also getting more sophisticated.

A weakness at the joins

Security weakness often appear at the joins – between organisational divisions, between systems and across supply chains. While the security maturity of each part of a supplier network won’t be the same, cyber-criminals bet on one common trait – complexity.

And when networks and third-party relationships are established on complex infrastructures, there are many blind spots to hide under. As a result, there’s been an increasing focus on scrutinising the security standards that permeate supply chain to bolster defences and preparedness over the past couple of years.

For any approach to be effective, security has to be about raising the bar for everyone – uniformity is key as any dips in an implementation are potential points of access. That’s why everyone across the supply chain needs to be security savvy. There also needs to be a reporting process in place, so that everyone knows when there’s an issue, as well as a triage process that can rapidly assess the severity of an attack.

A good first move is to assess where companies are in terms of security preparedness and to identify where the gaps are as well as the types of data access controls that extend to supply chain partners.

This needs to be followed by engagement with all stakeholders, clear cooperation and an approach that embeds ‘zero trust’ – a framework or philosophy that fundamentally abandons the idea that you can trust anyone or anything as far as security is concerned. Everyone needs to be re-evaluated and re-authenticated and given the lowest set of system privileges required for them to operate. 

You’re always under attack

This approach also assumes the worst – that a breach is happening – it’s about spotting it rather than thinking ‘I can’t see an attack, I’m therefore okay’. Zero trust is philosophically the exact reverse of that. It asserts that every organisation is under attack – it is going on, it’s just a matter of how bad it might be. This makes it an ideal approach for supply chains and for staff working from home, the weak points where cyber-criminals can unleash an assault.

In a world of increasingly sophisticated cyber-attacks, which are now targeting companies, their clients, and their suppliers, it is essential to establish an approach to security that includes people, processes, and technology. All stakeholders need to be brought up to the same level of readiness as any weaknesses will be exploited and used as points of entry.

Triple extortion in 2022

Triple extortion ransomware will be a trend in 2022 as cyber

criminals seek to increase the ROI from their attacks. It should be no surprise for organisations to see cyber-criminals introducing new techniques and leveraging new technologies to extract their valuable data, and sadly there will be many that fall victim.

However, at the same time as attacks get more sophisticated, so do the tools to defend against them. The ripple effect of triple extortion ransomware attacks will force businesses to scrutinise their supply chains’ access to their data and the security and policy controls surrounding their trusted relationships.  It’s time to double down on the risk of triple extortion.

Martin Borrett, IBM Distinguished Engineer and Technical Director, IBM Security, UK and Ireland