Hackers use new tactic - double extortion

the Hackers in the first quarter of this year, have mastered a new tactic of extortion is far more dangerous than the previous one, experts Check Point. Now cyber criminals add an additional phase to your attack: before encrypting a database of victims, the attackers removed large amounts of commercial information and threaten to publish it unless paid a ransom.

a Similar case was recorded by the company security Allied Universal back in November of last year when the victim refused to pay a ransom of 300 bitcoins (approximately $2.3 million). The attackers promised to use the confidential information, and stolen certificates, email and domain names to conduct spam campaigns from the face of Allied Universal.

to prove his intentions, the hackers published the stolen sample files: among them were contracts, medical records, certificates, encryption, and more.

Other cybercrime groups also began to adopt a new tactic and created their own pages for publication of information stolen for the same purpose.

the Attackers using virus-cryptographer SodinokibiRansomware (also known as REvil), published details of their attacks on 13 victims, and confidential information of those companies. The latest victim was an American national Association against eating disorders.

First screenshots with the information received serve as a means to convince the victims to pay the ransom. If payment is not received on time, the attackers are implementing his threat to expose confidential information in public access.

the Hackers use the stolen data as a trump card: they know for leaking information to companies, according to the law GDPR will have to pay huge fines. For example, on the eve of the 2020 the company Travelex was stolen 5 GB of confidential customer data, including date of birth, informinformation about credit cards and national insurance numbers.

Hackers Travelex gave two days to pay $6 million, and then promised to double the amount of foreclosure and to sell the entire database if they will not receive any payment within a week. Travelex had to disconnect from the network for three weeks to recover from the attack.

the Attackers began to attack, and mobile devices. Recently, the virus disguised as the application for tracking of infection with coronavirus for Android devices. In fact, the application encrypted user data and threatening to release personal information from social networks.

Experts Check Point reported that the main targets of such attacks — the hospital. Especially now, given their work with coronavirus patients. Attackers targeted more than 1 thousands of medical organizations only in the United States in 2016. According to recent estimates, the costs amounted to more than $157 million. In 2017, dozens of British hospitals suffered from WannaCry, which led to thousands of canceled receptions and the closure of some emergency offices. In 2019 a few of US hospitals had to refuse patients after a series of attacks using ransomware.

Experts Check Point suggest to make regular backups of data and files, preferably using cloud storage. The most common methods of infection used in the campaigns with the participation of ransomware are still spam and phishing emails. Very often competent users can prevent the attack by simply not opening the email or downloading a malicious attachment. It is therefore important to train employees the basic rules of tiberghien and ask them to inform the security service about the suspicious messages.

to minimize the damage from a successful ransomware attacks on the organization, you can enter access control for various categories of employees. This greatly reduces the likelihood that the attack of ransomware raceswill protraits throughout the network.

From the point of view of information security is certainly very important to regularly update your antivirus and other security-based signatures.

In addition to the traditional defence-based signatures such as antivirus and IPS, organizations need to use additional levels to prevent new unknown threats with no known signature. Two key components that you should use — removing threats (clean files) and emulation threats (extended sandbox). Each element provides a separate protection, which when used together provides a comprehensive solution to protect against unknown malware at the network level and on endpoints.