Ransomware’s Dangerous New Trick Is To Double-Encrypt Your Data

Ransomware groups have always taken a more is more approach. If a victim pays a ransom and goes back to business as usual, hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to run away from it if they don’t pay. The last climb? Ransomware hackers who encrypt a victim’s data twice at the same time.

Double encryption attacks have happened before, usually caused by two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally overlays two types of ransomware.

“The groups are constantly trying to figure out which strategies are best, which earns them the most money for the least effort, ”said Brett Callow, Threat Analyst at Emsisoft. “So in this approach you have a single player deploying two types of ransomware. The victim decrypts his data and discovers that it is not decrypted at all. “

Some victims receive two ransom notes at a time, Callow says, which means hackers want their victims to know about the double-encrypted attack. In other cases, however, victims only see a single ransom note and only discover the second layer of encryption after paying to remove the first.

“Even in a case of standard single encryption ransomware, recovery is often an absolute nightmare,” Callow says. “But we see this double encryption tactic often enough that we think it’s something organizations should be aware of when considering their response.”

Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A, then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a “side-by-side encryption” attack, in which the attacks encrypt some systems of an organization with ransomware. A and others with ransomware B. In this case, the data is only encrypted once, but a victim would need both decryption keys to unlock everything. The researchers also note that in this side-by-side scenario, attackers take steps to make the two separate strains of ransomware as similar as possible, making it harder for incident responders to sort through what is going on.

Ransomware gangs often operate on a revenue-sharing model, where a group builds and maintains a strain of ransomware, then leases its attack infrastructure to “affiliates” who carry out specific attacks. Callow says double encryption fits into this model by allowing customers who wish to launch attacks to negotiate splits with two gangs that can each provide a separate strain of malware.

The question of whether to pay digital ransoms is a thorny and important question. And ransomware victims who choose to pay should already be wary of the possibility that attackers won’t actually provide a decryption key. But the rise of double encryption as a strategy increases the additional risk that a victim could pay, decrypt their files once, and then find that they have to pay for the second key again. As a result, the threat of double encryption makes the ability to restore from backups more crucial than ever.

“Correcting backups is a long and complex process, but double encryption doesn’t make it any more difficult,” says Callow. “If you decide to rebuild from backups, you start over no matter how many times the old data was encrypted.”

For ransomware victims who do not have adequate backups in the first place or who do not want to take the time to rebuild their systems from scratch, double encryption attacks pose an additional threat. If fear of double encryption attacks makes victims less likely to pay across the board, attackers could forgo the new strategy.

More WIRED stories

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *