Before Darth Vader, there was Anakin Skywalker; before Magneto, there was Max Eisenhardt; and before Gollum, there was Sméagol. As villains transform to the worst version of themselves, they take on a new name to match their new identity. The same thing is happening with ransomware.

Security researchers in FireEye Mandiant’s annual M-Trends Report noted an alarming rise of encryption combined with exfiltration in ransomware attacks. Mandiant has granted a new term for the attack: multifaceted extortion, to reflect the complexity of the attack transformed to target more than just data ransom. 

Multifaceted extortion at work

The Colonial Pipeline attack underscores Mandiant’s warning. The attackers, identified as DarkSide, are known for their use of multiple extortion tactics. These tactics increase leverage even in cases where organisations might otherwise be prepared to use backups or rebuild systems from scratch.

With higher gas prices lingering after the pipeline shutdown, it’s easy to forget that history was made when the ransomware group REvil made the largest ransom demand to date at US$50 million as of July 2021. The high demand is attributed to the use of multifaceted extortion.

Why DDoS attacks on the tech companies can cause massive disruption across industries

The Cyber Security Agency of Singapore reported a 154 percent increase in ransomware cases over the course of a year, with 35 cases reported in 2019 to 89 cases reported in 2020. The cases predominantly affected Small and Medium Enterprises (SMEs) in the manufacturing, retail and healthcare sectors. 

With the recent surge in high-profile ransomware attacks, organisations have become more acutely aware of the real-world consequences these attacks pose with the potential to become national security concerns. It has become more important for businesses to review their cybersecurity policies to ensure resilience and protection from potential cyberattacks. 

From ransomware to extortion

Awareness for ransomware ballooned four years ago when WannaCry spread rapidly around the world through the insecure SMBv1 protocol. In its aftermath, organisations scrambled to patch vulnerabilities and implement broad security hygiene education. Meanwhile, an increase in data backups helped ensure that, should critical data be encrypted, business could move on without paying up. 

With these prevention and mitigation strategies ramping up, exfiltration and extortion is a logical workaround for cybercriminals in need of leverage. While the threat of releasing proprietary data is the most well-known extortion tactic, Mandiant goes on to mention that attackers are using even more aggressive methods including employee harassment and DDoS attacks.

Given the mitigations organisations have taken since WannaCry, the move from ransomware to multifaceted extortion is an important note. Headlines proclaiming that ransomware is on the rise cannot exactly clue organisations into the realities of today’s attacks—a threat that is poised to trigger another swift cyber defence strategy shift.

Know thy enemy, defeat thy enemy

The Cybersecurity Act was enacted on 2 Mar 2018, establishing a legal framework to oversee and maintain national cybersecurity in Singapore. The Act consists of four key pillars.

The first pillar concerns strengthening the protection of Critical Information Infrastructure. The second concerns authorising CSA to prevent and respond to cybersecurity threats, while the third pillar is about establishing a framework for sharing cybersecurity information. Finally, the fourth pillar establishes a light-touch licensing framework for cybersecurity providers. 

While the Act does not delineate requirements for private-sector organisations, it does encourage them to follow the government’s lead by updating their security models accordingly.

To do so, it helps to have an idea of who organisations are up against. Ransomware is a significant threat to ASEAN businesses. Close to 3 million ransomware cases were detected in the region within the first three quarters of 2020 alone. The Interpol-ASEAN Cyberthreat Assessment also notes that the actual situation could be much worse, with an estimate of only 2.5 percent of ransomware incidents made public. In such a sense, the 89 reported cases of ransomware in 2020 could only be a fraction of the cases that have actually occurred.

Furthermore, ransomware groups utilise a “name and shame” tactic against companies, where they publicise data or even auction it for a higher profit. Although Maze is the only known group to utilise this tactic thus far, the tactic is expected to become more common as ransomware groups continue to target businesses in the ASEAN region.

The Interpol Cyberthreat Assessment pinpointed approximately four different ransomware groups targeting various sectors in the ASEAN region, with Maze and REvil being the most prominent ones. With the “Ransomware-as-a-Service” model being on the rise alongside ransomware families, a larger number of potential cybercriminals will swarm towards ransomware as a means to make money.

This is to say that although organisations may have an idea what cybercriminals are after, it is not always possible to know their approach. While it seems daunting for those in cybersecurity, avoiding cyber extortion is still a very attainable defence goal.

A source of truth 

If cybercriminals are using unknown tactics, how do certain companies detect and stop multifaceted extortion attempts while others fall victim? The answer lies in the network.

Attackers have become highly adept at evading detection upon entry into a network, but they can not hide from the network. The network represents an empirical source of behavioral evidence of the connective tissue of the enterprise. It’s a passive, observational and definitive source of truth for cybersecurity teams. By adding network detection and response (NDR) as a critical aspect of cybersecurity defence, an organisation gains the ability to detect compromise before any major harm.

NDR can help organisations detect threats in their networks with the help of machine learning. By establishing a network baseline, behaviour-based detectors empower security teams to spot malicious activity, even if it does not follow a known pattern. This tactic gives organisations an advantage, even in the face of zero-day exploits, newly introduced malware, and evolving ransomware tactics.

This was contributed by Daniel Chu, Director of Systems Engineering, ExtraHop

About the author

Daniel Chu is the APJ Systems Engineering Director for ExtraHop. Spearheading the initial launch of ExtraHop APAC in 2015, he continues to be passionate about engaging in hands-on work and providing technical guidance to customers and partners. Prior to joining ExtraHop, Mr. Chu led a regional sales engineering team in Asia-Pacific & Japan at Riverbed Technology. Daniel holds a Masters of Science and undergraduate degree in Electrical Engineering from the Georgia Institute of Technology.