Double extortion – an emerging trend in ransomware attacks

Double extortion – an emerging trend in ransomware attacks

Some cyber-attacks, like the Twitter hack in July 2020, make headlines because of the A-list celebrity victims involved. Some, like the Yahoo breach first disclosed in 2013 are high profile because of the staggering number of individuals whose personal data is jeopardised. Many, however, fail to reach the general public’s consciousness because, sadly, data breaches are now so commonplace. Globally, the number of publicly disclosed attacks rose by 273% in Q1 of 2020 compared with the same period last year. Occasionally, though, an attack captures the media’s attention because of the identity of victim, for example, the recent data breach which has shaken the reputation of the Ritz hotel in London.

On 12 August, cyber criminals posing as Ritz employees accessed the five-star establishment’s food and beverage reservation system, compromising customers’ personal data. Armed with this information, the fraudsters then committed a so-called ‘vishing’ fraud; by spoofing a hotel telephone number, they called those with upcoming reservations purporting to confirm their bookings by asking them to disclose their payment card details. Once in possession of those details, the fraudsters were able to spend thousands of pounds of victims’ money.

Eye-catching as the incident was, the Ritz fraud was actually quite simple in comparison to the sophisticated types of cyber-attack now taking place elsewhere. One of the most pernicious is the double extortion ransomware attack which emerged from the US in 2019.

Traditional ransomware was first seen in the late eighties and those distributing it – so-called ‘ransomware families’ – have been playing cat-and-mouse with cyber sleuths and security experts ever since. Its most recent incarnation – ‘double extortion’ – combines the traditional variant with a data breach, where the cybercriminals threaten to leak the stolen data unless their demands are met. Badging themselves with dystopian names such as Maze, Netwalker and REvil, these cyber fraudsters are increasingly brazen, displaying exfiltrated data like online trophies and even sponsoring underground hacking contests to showcase their malware.

For their victims, the consequences can be devastating; quite apart from the stress and anxiety for individual data subjects, corporates can be brought down by such incidents. Travelex, the currency exchange service recently fell into administration with the loss of 1300 UK jobs following a New Year’s Eve ransomware attack where a cyber gang demanded the company pay $6 million in 48 hours or face publication of its customers credit card information, national insurance numbers and dates of birth.

Preventing such attacks in the first place is far better than mitigating their effects afterwards, with all the financial cost and reputational damage they entail. Most attackers gain access through human error and, along with technical measures such as internal data access management and backing-up, staff training and vigilance are key elements in any organisation’s defences. Those falling victim to these online highwaymen face an invidious choice – refuse to pay and face a catastrophic data breach with exposure to painful regulatory fines and civil claims, or pay the ransom without any guarantee of the data’s return. Firms relying on old insurance policies to cover the costs of an attack may be disappointed, with insurers baulking at increasingly large pay-outs. At least one insurer has called for annual cyber resilience reports from companies.

With ransomware attacks increasing exponentially, the Internet of Things is only likely to exacerbate the problem and even the most commonplace interconnected devices are vulnerable to hackers intent on gaining access to organisations’ data. Earlier this year, to ensure baseline security measures for IOT devices, including hubs, smartphones and laptops, the Government proposed fresh regulatory measures, enforced by a watchdog with the power to issue recall notices and impose financial penalties for devices falling short of adequate standards. Highlighting the difficulty which legislatures experience in keeping pace with ever-evolving nature of cybercrime, an IoT Code of Practice had first been published in March 2018 with more formal regulation floated as an idea well over twelve months ago. It is hoped that, when the new regulations are finally brought into force, they make the work of cyber criminals significantly harder and fortify the safety of our personal data.

Julian Hayes is a Partner specialising in all aspects of corporate crime and regulatory work. As well as dealing with high profile fraud and corruption matters, including investigations with an international dimension, he has considerable experience of advising corporates on data protection and cybercrime issues.