Approximately one year ago, Maze, the first large extortion ransomware attack came to the attention of the wider world, and since then, nine other ransomware families have joined the trend. From Sodinokibi, the descendant of GandCrab, to Maze attacks in the news, this new brand of evil is going to grow in popularity.
What is Extortionware?
Extortionware is a term coined to distinguish the variants of ransomware that will not only encrypt your files but steal them and “name and shame” you if you don’t pay the secondary fee they demand. The developers maintain a website that lists the names of companies who have not paid but were infected as well as the contents of all data that was stolen from the victim.
Why is it more dangerous?
Historically, insider threats have been the biggest danger to companies, though arguably data exfiltration is a close second as it can be caused by either insider or outsider threats to a victim. Extortionware blends the combination of an insider threat, as most of the infection vectors at this point are phishing emails, data exfiltration, and denial of service through encrypting critical systems and/or files.
Artisanal ransomware and Ransomware as a Service traditionally only blend insider threat and denial of service, leaving off the elevated danger of the data exfiltration. All types of ransomware trend toward looking for similar files: items marked financial, items with passwords in the document, items that could be confidential, or items that have PII (personally identifiable information) in them. Ransomware developers are looking to cause you the most harm to force you to pay as much in ransom as they possibly can.
But now extortionware is taking this to another level: it takes all of the above-mentioned sensitive information and releases it. The average time a victim is given is 48 hours to pay, generally not enough time to perform incident response and certainly not enough time for authorities to investigate and prosecute.
Why this is a trending style
This tactic is much more effective as victims are under far more pressure to protect their assets when the threat of exposure has a hard time limit. Employees and clients are trusting the victim company to keep their data safe and it’s bad for business to be name and shamed for being infected with a ransomware that was so easily able to steal data. This additional pressure makes it more appealing to pay the ransom and the extortion fee in order to protect themselves.
How can you defend yourself?
This is a difficult question. There is no perfect answer for extortionware, as once your files leave your environment, you have no legal way of regaining access to them or rendering them useless to the attacker.
The best way at this time is to reduce the risk of the initial infection: use a layered defense approach, tune your firewall, make sure patches are applied, deploy a SIEM, and utilize security professionals to monitor your network and make consistent improvements for detection among other risk management strategies.