There are Ransomware groups always taken one more approach. If a victim pays a ransom and then goes back to business as usual – they are also hit. Or not just encrypt a target’s systems; steal their data first, therefore you may threaten to leak it if they do not pay. The latest growth? Ransomware hackers encrypt a victim’s data twice at the same time.
Duplicate encryption attacks have occurred in the past, often stemming from two different ransomware gangs compromising the same victim at the same time. Even the antivirus company Emsisoft says it is aware of numerous incidents where the same artist or group intentionally put two types of ransomware on each other.
“The groups constantly trying to work out which strategies work best, getting them the most money for the least effort, ”said Emsisoft threat analyst Brett Callow. “So in this way you have an actor spreading two kinds of ransomware. The victim decrypts their data and finds out that it was never decrypted.”
Some victims get two notes simultaneously, according to Callow, meaning hackers want their victims to know about the double-encryption attack. However, in other cases, victims will only see a redemption note and will only know about the second layer of encryption after they have paid to get rid of the first.
“Even in the most common case of single-encryption ransomware, recovery is always an absolute nightmare,” Callow said. “But we’ve seen this double-encryption tactic always be enough that we feel it’s something organizations need to know when considering their response.”
Emsisoft has identified two different tactics. First, hackers encrypt the data using ransomware A and then also encrypt that data with ransomware B. Other paths involve what is called Emsisoft as an attack “somewhere. encryption ”, in which several systems in an organization are attacked using ransomware A and others with ransomware B. In that case, the data is encrypted only once, but one victims need the same decryption keys to unlock everything. The researchers also noted that in this side-by-side scenario, attackers are taking steps to make different types of ransomware as similar as possible, making it even more difficult for those responding to the incident to fix what happened.
Ransomware gangs often operate on a revenue-sharing model, where a group builds and maintains a type of ransomware and then leases the infrastructure to attack “partners” who implement specific targets. attack. Callow said double encryption would fit this model by allowing clients who want to launch attacks to negotiate divisions into two gangs that would each provide a different malware offense. .
The question of do digital redemption payments a thorn and essential. And ransomware victims who choose to pay should be wary of the possibility that attackers will never provide a decryption key. But the rise of double encryption as a strategy raises the added risk that a victim may pay, decrypt their files once, and then find out that they will have to pay for the second key again. . As a result, the threat of double encryption makes the ability to restore from backups more important than ever.
“Repairing backups is a highly complicated process, but double encryption is no more complicated,” Callow said. “If you decide to rebuild from backups as well you start fresh, so it doesn’t matter how many times the old data is encrypted.”
For ransomware victims who don’t have enough backups at first or don’t want to spend time to reconstruct their systems from scratch, two encryption attacks present an added threat. If the fear of duplicate encryption attacks makes victims pay less across the board, however, attackers may retreat in the new way.
More WIRED Stories