After years of ransomware wreaking havoc on victims worldwide, threat actors doubled down with their extortion tactics earlier this year by introducing a new technique. This was previously described in the “2020: Not Your Father’s Ransomware” CYDERES technical blog post. It’s a relatively simple concept, with an innovative and ingenious spin on the traditional ransomware attack. Rather than just encrypting a victim’s sensitive data, the operators behind the attacks added the additional step of exfiltrating that sensitive data and threatening to leak the data if the requested ransom is not met. In the past, victims with access to system backups might be able to sneak by without paying the ransom. However, now they may have to consider paying because they are faced with the threat of their data being leaked. The risk of public disclosure and potential brand damage being leveraged in these attacks can be very lucrative for the operators behind these attacks.   


While the concept of double extortion might have been the first significant twist relating to ransomware we would come across the year; it would unfortunately not be the last. Adversaries have proven that they are opportunistic in nature and will exploit any avenue they can. COVID-19, perhaps being the most significant opportunity of all, has drastically impacted the cyber landscape. The shift to remote working has opened up a new assortment of security vulnerabilities and has left users increasingly vulnerable to phishing emails and malware-involved attacks as they perform work-related tasks on their home networks, which often have minimal security measures in place.  


The shift instigated by COVID-19, along with the opportunistic nature of malicious operators and other uncertainties in today’s world, has had a damaging impact on the cyber landscape worldwide. Research conducted by Check Point concluded that during the third quarter of 2020, there was a 50% increase in the daily average of ransomware attacks when compared to the first half of 2020. Additionally, the number of ransomware attacks that have plagued the United States has approximately doubled in the third quarter of 2020, making it the most targeted country for ransomware attacks. [source]

Figure 1: Check Point Research showcasing the rise of ransomware incidents


Now it is time to introduce the tried-and-true concept of distributed denial of service, or DDoS, extortion. The idea of this form of digital extortion is relatively straight-forward; if the victim gives the adversary what they request, then the adversary will not attack the victim. Victims will often receive communication from the adversaries threatening to unleash a wrath of junk traffic in a DDoS attack if the victim does not supply the adversaries with the ransom amount they request.


In a recent example of DDoS extortion, adversaries claiming to be affiliated with the Lazarus Group sent an extortion letter to Travelex in which they demanded 20 bitcoins, or approximately $200,000 at the time, and stated that the ransom would increase by 10 bitcoins every day that elapsed after the initial deadline. Travelex did not pay the ransom and instead chose to face the DDoS attack. The DDoS attack did not prove to be effective and is indicative of its spotty effectiveness. [source]


Similar to exfiltration, DDoS extortion on its own is nothing new or fancy. However, it is a means to add some extra leverage when demanding a ransom payment, which is all an adversary needs. If an organization is not willing to or does not need to pay to decrypt their data, they will perhaps pay to prevent a DDoS attack that could result in service downtime. Not to mention the downtime organizations may face from other consequences, such as further impacting their brand reputation.


At the beginning of October 2020, the security community observed one of the first attacks that leveraged the technique of combining ransomware and the threat of a DDoS attack. When negotiations stalled in a SunCrypt ransomware attack, the operators and its affiliates initiated a DDoS attack against the victim’s website. Upon logging back into the ransomware’s Tor payment site where the negotiations were being conducted, the victim was provided with an explanation that SunCrypt was responsible for the DDoS and threatened to continue the attack if negotiations did not resume. In this scenario, the SunCrypt operator’s use of this tactic to force negotiations was successful, as it ultimately led to the victim paying the demanded ransom. This technique was especially effective because the victim was a smaller organization. The combination of data theft, the threat of a data breach, a lack of access to encrypted files, and a DDoS attack could have completely caused them to shut down. [source

Figure 2: Communication between SunCrypt operators and their victim


The effectiveness of this technique boils down to simple principles. First, the adversaries must present a threat that introduces unacceptable consequences. It must be drastic because if it is not, no victim is going to pay the demanded ransom. In the case of DDoS extortion, it is the system and resource downtime, along with the consequences that come with it, that are unacceptable. Secondly, adversaries are going to have a much better shot of being successful if they can force the victim to react with emotion rather than logic. DDoS extortion attempts to accomplish this by setting deadlines, such as threatening to continue to increase the ransom demand as more and more time passes. This is more likely to elicit an emotional response from the victim because they might not have the opportunity to think rationally or even engage law enforcement. 


While the introduction of data exfiltration and DDoS extortion makes preventative efforts less cut-and-dry, there are still many measures and best practices that can and should be implemented to help mitigate these threats. Best practices for mitigating ransomware include network segmentation, the principle of least privilege, anti-malware software, up-to-date systems, and most importantly, backup solutions that are not only implemented but also practiced to ensure a smooth recovery. Besides using unique, complex passwords, enabling multi-factor authentication (MFA) where possible, and regularly applying security updates and patches to maintain a strong network security posture, knowing what a DDoS attack looks like and having a plan to react to it are important steps to take for mitigation.


Now that there are use cases and evidence to suggest that both the threat of data exfiltration and DDoS extortion are effective when it comes to providing additional leverage to persuade the victim to pay the ransom, it will likely be increasingly adopted. Not only that, but these tactics and techniques will continue to evolve in an attempt to stay one step ahead of defensive measures that could stand in the way of raking in a profit. Coupled with the additional challenges of a rushed transition to a remote workforce and everything else that has come along with the COVID-19 pandemic, some companies have been left in a vulnerable position. Combating the ever-changing cybersecurity threat landscape will require an extraordinary amount of creativity, perseverance, and collaboration from cyber professionals, business leaders, and organizations worldwide.


CYDERES is primed to help with threats like ransomware and can help organizations in situations like those detailed above. If you are interested in finding out more about how CYDERES can help your organization combat ransomware and beyond, fill out the form below.