2 Warning Signs of Double-Encryption Ransomware
“Let’s take a pause. Do not be in a rush to pay the ransom. It could be a double-encryption event.” These words should be on the tip of the tongue following discovery of a ransomware message flashing across the screen.
Double-Encryption or Double-Extortions are on the rise after being first utilized in 2019. Double-encryption is a tactic in which the cyber-criminals insert two layers of encryptions, with two different key-codes, over the victim’s data. The victim is initially told to pay one ransom amount in exchange for the key code to unlock their data. Once the money is paid, one keycode is provided and once entered, a second message appears on the screen in which the ransom demand is often doubled (or increased by another exponent).
Remember, ransomware is illegal and entering a business arrangement with criminals will rarely illicit desired results. There is no guarantee that payment of any ransom demand, whether it’s the first or the second layer, will release encrypted data. According to Trend Micro (a firewall manufacturer), there are 35 ransomware groups with a record of double-extortion, including, but not limited to DarkSide, Conti, Ryuk, and REvil (some of the more famous names). Indeed, DarkSide employed a double-encryption tactic against Colonial Pipeline.
To make the situation more frightening, some criminal groups use triple or quadruple extortion, even working together against a single victim. For example, criminals may initiate additional system attacks by overwhelming the network and dismantling all operations after the victims pay the first 2 ransom demands.
Experience only reveals 2 factors commonly seen in double-ransomware events: 1) A small, initial ransomware demand; and 2) An extremely short time-period in which to pay the ransom with threats like “before all data vanishes forever.”
As to what constitutes a small demand, it varies. Cyber-criminals do their homework. A cyber-criminal will not seek a seven-figure ransom from a business with an annual revenue in the low seven figures. The ransom demand, at least the first one, will be a figure that the company is capable or paying without unnecessary red tape. For example, a small business turning approx. $3M in profit annually may only see an initial ransom demand of $25,000.00 (or less).
Think about the scenario like this: a ransomware family wants their payment, quickly. They do not want the victims forced to get board-level approval or a loan to pay the ransom. Criminals rely on the knee-jerk reaction of “Just pay it so we can keep operating. It’s not worth the business interruption.” Now, if the victim provides public-facing services for other companies, then the first ransom may be a bit higher to avoid client loss or embarrassment.
The second indicator is a message containing a timer. The victim may only be afforded a few hours (as opposed to a full day or 2) to decide to pay the ransom before the criminals threaten to forever delete the data or publicly post it as stolen.
For any company, particularly those in heavy data-regulated states like California, Massachusetts, New York, and Illinois, publicity of a data breach is more terrifying than anything else. Cyber criminals will use the timer to drive up the fear factor, relying on state or federal regulators to buttress the consequences of not paying the ransom.
From a defensive position, the best way to react to a ransomware discovery is to contact the authorities. Whichever law enforcement entity responds to cyber events in a state or area might already have the decryption codes, be able to get them from a state or federal agency partner, or find the encryption codes through dark web research. Louisiana has a state version, but the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.) preserves legal privileges and protects entities that share indicators of compromise with certain agencies. Relying on the protected assistance of law enforcement is more reliable than the “guarantees” of criminals.