Researchers at Check Point have identified a growing trend for a new ransom-ware tactic. In what researchers call “double extortion,” the new tactic involves threat actors adding an additional stage to a ransom-ware attack: prior to encrypting a victim’s database, hackers will extract large quantities of sensitive information, threatening the publication of it unless ransom demands are paid, placing more pressure on victims to meet the demands of threat actors.

To prove the validity of the threat, threat actors leak a small portion of sensitive information to the dark web, dangling intimidation that more is to follow if ransom goes unpaid.

The “Double Extortion” Process

  1. Threat actor gains entry into a victim’s network
  2. Threat actor extracts sensitive data, such as customer details, financial and employee details, patient records, and more
  3. Threat actor encrypts the files and demands ransom from victim
  4. Threat actor threatens leak of gathered sensitive data
  5. To prove validity of threat, threat actor leaks small portion of extracted information to dark web

The first published case of double extortion took place in November 2019 and involved Allied Universal, a large American security staffing company. When the victims refused to pay a ransom of 300 Bitcoins (approximately US$2.3 million), attackers, who used ‘Maze’ ransom-ware, threatened to use sensitive information extracted from Allied Universal’s systems, as well as stolen email and domain name certificates, for a spam campaign impersonating Allied Universal.

Countering ransom-ware, malware threats

It is estimated that many other companies avoided publication of their sensitive data by paying the ransom demanded

To prove their point, the attackers published a sample of the stolen files including contracts, medical records, encryption certificates and more. In a later post on a Russian hacking forum, the attackers included a link to what they claimed to be 10% of the stolen information as well as a new ransom demand that was 50% higher. Maze has since published the details of dozens of companies, law firms, medical service providers and insurance companies who have not given in to their demands. It is estimated that many other companies avoided publication of their sensitive data by paying the ransom demanded.

Other cybercriminal groups have followed the new double extortion tactic, opening their own sites to publish and leak stolen information as a means to apply additional pressure on their victims to pay ransom. Attackers utilising Sodinokibi ransom-ware (aka REvil) published details of their attacks on 13 targets, as well as proprietary company information stolen from the targeted organisations. The National Eating Disorders Association was the last in the list of victim organisations.

Data security

Additional attacks that have joined the trend include Clop ransom-ware, Nemty, DopplelPaymer and more. Information published on these sites was soon found to be offered for sale by the ransom-ware group itself or by other criminals who collected the data from the dumpsites.

“Double Extortion is a clear and growing ransom-ware attack trend. We saw a lot of this during Q1 2020. With this tactic, threat actors corner their victims even further by dripping sensitive information into the darkest places in the web to add weight to their ransom demands,” said Check Point’s Manager of Threat Intelligence, Lotem Finkelsteen.

Importance of cyber security

He adds, “We’re especially worried about hospitals having to face this threat. With their focus on coronavirus patients, addressing a double extortion ransom-ware attack would be very difficult. We’re issuing a caution to hospitals and large organisation, urging them to back up their data and educate their staff about the risks of malware-spiked emails.

Ransom-ware attacks have affected more than 1,000 health care organisations in the US alone since 2016

Ransom-ware attacks have affected more than 1,000 health care organisations in the United States alone since 2016, with costs totaling more than US$ 157 million, according to a recent analysis. In 2017, dozens of British hospitals and surgeries were affected by ransom-ware known as WannaCry, which resulted in thousands of canceled appointments and the closing of some accident and emergency departments. In 2019, several U.S. hospitals had to turn away patients after another spate of ransom-ware attacks.

Enhancing healthcare and enterprise security

In the ongoing fight against constantly-evolving ransom-ware tactics, the best defence is to prevent becoming a victim in the first place. Check Point has previously detailed its best practices to help you avoid being a ransom-ware victim, but to recap:

  • Back Up Your Data and Files - It’s vital that you consistently back up your important files, preferably using air-gapped storage. Enable automatic backups, if possible, for your employees, so you don’t have to rely on them to remember to execute regular backups on their own.
  • Educate Employees to Recognise Potential Threats - The most common infection methods used in ransom-ware campaigns are still spam and phishing emails. Often, user awareness can prevent an attack before it occurs. Take the time to educate your users, and ensure that if they see something unusual, they report it to security teams immediately.
  • Limit Access to Those That Need It - To minimise the potential impact of a successful ransom-ware attack against your organisation, ensure that users only have access to the information and resources required to execute their jobs. Taking this step significantly reduces the possibility of a ransom-ware attack moving laterally throughout your network. Addressing a ransom-ware attack on one user system may be a hassle, but the implications of a network-wide attack are dramatically greater.
  • Keep Signature-Based Protections Up-To-Date - While signature-based protections alone are not sufficient to detect and prevent sophisticated ransom-ware attacks designed to evade traditional protections, they are an important component of a comprehensive security posture. Up-to-date antivirus protections can safeguard your organisation against known malware that has been seen before and has an existing and recognised signature.
  • Implement Multi-Layered Security, Including Advanced Threat Prevention Technologies - In addition to traditional, signature-based protections like antivirus and IPS, organisations need to incorporate additional layers to prevent against new, unknown malware that has no known signature. Two key components to consider are threat extraction (file sanitisation) and threat emulation (advanced sandboxing). Each element provides distinct protection, that when used together, offer a comprehensive solution for protection against unknown malware at the network level and directly on endpoint devices.
Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

HID shares tips for returning to the workplace post-COVID-19
HID shares tips for returning to the workplace post-COVID-19

Sooner or later (hopefully sooner), the novel coronavirus global pandemic will allow workplaces to reopen. But as we move into this recovery phase, there are many questions surrounding the transition. How can companies ensure facilities are in acceptable working order to reopen? How do they decide who is coming back and when? How will social distancing impact the operation of a company’s physical access control system? How can companies ensure that both visitors and employees are aware of the policy changes and extra controls? For answers to these and other salient questions, we called on Ian Lowe, Product Marketing Director of HID SAFE Identity and Access Management (IAM) solutions. “There’s no doubt about it: the global pandemic will change the way we live, work, and conduct business for some time,” says Lowe. “Over the past several weeks, we have been working with customers to enable a safe return to the workplace. We have observed that the number of challenges in the mid-to-long-term level and the associated complexity vary by location.” Lowe shares some of the proactive measures and best practices that can assist in a safe return to the workplace as we settle into a “new normal”. Challenge 1: Ensuring building readiness After being unoccupied for weeks or months, building readiness must be addressed completely before welcoming anyone inside. Even though employees may be eager to return, the workplace itself may not be ready. Companies may want to consider continuing remote work while facility operations are prepped. Challenge 2: workforce management There’s no doubt about it: the global pandemic will change the way we live, work, and conduct business for some time While it is dependent on location and industry, taking a phased approach is the best course of action when allowing employees, contractors and visitors back into facilities. First, facilities management will want to survey the property for readiness and then provide an estimate as to when employees may begin reporting back into the office. Next, it’s important to consider that office density needs are interrelated to the facility architecture. It is possible to accommodate a higher capacity of workforce in an airy, open office space than in a constrained one. A good rule of thumb is to start by introducing no more than 30% of employees back into the workplace at first. This could be a rolling group model in which the population total remains controlled and constant, but specific individuals vary from day to day. This option is good for a workforce that needs to be together in person but not necessarily all at the same time due to office density concerns. Welcoming visitors or customers into the office should be delayed as long as possible. If that’s not feasible, visitor numbers should be factored into the total density count. A cloud-based visitor management system can help with implementation. Challenge 3: Controlling access The ability to vet staff, employees, contractors and visitors before and during the return will vary greatly depending on the location. Policies should be implemented that require employees to be screened regularly — and for an extended amount of time. Look to answer the following questions: Where have you visited in the days since last entering the workplace? Have you come into contact with anyone else who has recently visited high-risk areas? Have you shown any symptoms of infection in the past xx number of days? Policies should be implemented that require employees to be screened regularly — and for an extended amount of time If there is cause for concern, refuse the visitor and/or supplement the screening process with additional steps. Temperature checking is mandatory in many organisations⁠— often multiple times a day. This applies to interactions at delivery bays, too. A policy-based physical identity and access management solution integrated with existing physical access controls makes it possible to enforce, monitor and report this type of activity. Challenge 4: Social distancing and contact tracing plan Social distancing may continue within the office, which will impact restrictions and guidelines related to access control. The office layout may be reworked for proper distance between cubicles, workplace positions and employees. Specific entrances, exits and pathways may be designated as one-way-only. Assigning Bluetooth LE beacons to employees once they are inside the workplace will allow companies to monitor proximity to others and measure localised density in real-time⁠ by using location services, contact tracing, and surge response technologies. Challenge 5: Reduced physical touchpoints Contactless technologies can help enforce social distancing and reduce touchpoints on common surfaces Reducing the number of physical touchpoints is desirable throughout a workplace. Contactless technologies can help enforce social distancing and reduce touchpoints on common surfaces such as faucets, doorknobs, coffee pot handles, etc. While introducing additional security checks and screenings, it’s important to not increase touchpoints and further infection risks. There have been more requests for a contactless experience to secure workplace access, including automatic doors and turnstiles, contactless cards and mobile access. Challenge 6: Communicating for confidence Proactive communication is key to provide reassurance that appropriate safety measures have been taken and that both visitors and employees are aware of the policy changes and extra controls. Equally important is to communicate a policy change – and the reasoning behind it – before it happens. While there may not be an exact expiration date on these new policies, ensuring that impacted individuals will have a safer experience is universally appreciated.

Elevated temperature screening is paving the way to Britain’s reopening
Elevated temperature screening is paving the way to Britain’s reopening

Technology has played a vital role in how businesses have enabled their employees to work productively from home during the COVID-19 pandemic. For those of us who can do our jobs from home you only have to look at the ‘Zoom Boom’ to see how much our working lives have changed compared to the beginning of the year. Despite the fact that those companies that can are now productively and efficiently operating remotely, the country is now facing the next challenge in this crisis: how to safely reopen workplaces for those who can’t. There is no argument that the economy hasn’t taken a hit during this unpredictable time. Shops, restaurants and entertainment facilities have been forced to close, and 23% of the country’s workforce (6.3 million people) has been furloughed. It’s no surprise that the Bank of England has warned that the UK is heading towards its sharpest recession on record. To counter this economic risk, the government is taking steps to slowly and cautiously reopen the economy by easing lockdown measures, sending people back to work and allowing businesses to reopen. With non-essential retail outlets now able to open from the 15th June, the question business owners face is how to operate safely and maintain social distancing practices, which are set to remain in place until such time as a vaccine is widely available. With lockdown easing and a ‘new normal’ on the horizon, the health of the country’s workforce mustn’t be forgotten in a bid to save the economy. This is why technology that can allow for a controlled return to work, while mitigating any risks to the health of consumers and employees, must play a part in the easing of lockdown. Temperature screening in the new normal Elevated temperature screening is one technology that should play a key part in return to work strategies and the safe reopening of businesses. This valuable solution uses a thermal and optical camera to analyse body temperature, which is a key indicator of the presence of a potential illness, and discreetly alerts the operator when the set temperature threshold is exceeded by someone screened by the tool. With temperature screening technology in place, the exposure of potentially infected individuals to others can be dramatically decreased and the risk of a localised outbreak minimised. Furthermore, for businesses such as retailers whose success is dependent on customers feeling safe to visit the premises, it has the added benefit of giving them additional assurances that visible measures for their protection are in place. In combination with other solutions, such as vigorous testing and screens to protect employees and customers, returning to work can be safe and controlled. With temperature screening technology in place, the exposure of potentially infected individuals to others can be dramatically decreased The reality of a ‘new normal’ may already be visible in some industries, such as grocery retail where one-way systems, plastic screens and constant cleaning are already in place. However, elevated temperature screening has countless applications for both essential and non-essential industries, ranging from offices and train stations, to hospitals and pharmacies. This screening technology allows businesses to take preventative steps to minimise the chances of the wider workforce and customers coming into contact with someone exhibiting symptoms of a potential illness. A number of businesses are already deploying this technology, such as Vodafone, which has deployed heat detection cameras at key UK sites to protect its employees. The camera used by the telco can screen up to eight people at once and 100 people per minute, while judging body temperature in less than half a second – all of which makes it ideal for congested and high traffic areas. Not all solutions are created equal Over the past few months, we have been inundated with images and videos of temperature screening taking place within key industries, which have continued to operate through the pandemic. However, the hand-held thermometers commonly being used require the device to be within an extremely short range of the subject and are only able to screen one person at a time. This is why remote elevated temperature screening solutions are so valuable – especially given that social distancing guidelines are unlikely to be relaxed in the near future. Stand-off solutions can enable temperature screening to take place without the need for close human interaction, further safeguarding employees and reducing the risk of contact with potentially infected individuals. Elevated temperature screening has countless applications for both essential and non-essential industries, ranging from offices and train stations, to hospitals and pharmacies Along with remote capabilities, there are a number of other crucial factors to take into account. The solution must be quick and easy to implement, as well as being highly accurate. When paired with a blackbody, the accuracy of temperature screening solutions can be within 0.3°C. Connectivity is also key and adopting an end-to-end solution linked to a centralised command and control location is invaluable. With holistic connectivity, these solutions can encompass cameras installed in multiple locations, and alarms can be viewed locally, remotely or on a smartphone app. This means that staff don’t need to provide direct supervision to the device on-site. With the guidelines regarding which industries and sectors can reopen changing on an almost daily basis, it’s important that these protective solutions can be installed without overhauling the surveillance infrastructure already in place. Looking ahead, adopting a solution with an upgrade path to other enhancements, such a facial recognition, is favourable as they can be used in conjunction with future and existing security measures.  Shop local Stand-off solutions can enable temperature screening to take place without the need for close human interaction Businesses have plenty on their minds as they prepare for the uncertainty that is sure to continue throughout the rest of the year and beyond. However, due diligence can’t be left to the wayside when looking to adopt an elevated temperature screening solution. There are high-risk vendors present in the market, many of which have been blacklisted in the US, and they must be given a wide berth. Buying British-made technology can alleviate these security concerns, as well as avoiding any logistical issues caused by the breakdown of global supply chains.  As the economy cautiously reopens, the country will have to adapt to a ‘new normal’ over the coming months. Elevated temperature screening solutions should be implemented by businesses to protect the health of the workforce and customers alike – ultimately paving the way to a safe and controlled return to work.

Which security technology is most misunderstood, and why?
Which security technology is most misunderstood, and why?

The general public gets much of its understanding of security industry technology from watching movies and TV. However, there is a gap between reality and the fantasy world. Understanding of security technologies may also be shaped by news coverage, including expression of extreme or even exaggerated concerns about privacy. The first step in addressing any challenge is greater awareness, so we asked this week’s Expert Panel Roundtable: Which security industry technology is most misunderstood by the general public and why?