Seven ways to prepare for double extortion ransomware

Double extortion ransomware

The volume and scale of cyberattacks continue to increase and stress an organization’s ability to understand and prioritize the range of threats. 

According to our latest report, nine out of 10 external (non-Rubrik) organizations reported malicious actors attempted to interfere with their data backups during a cyberattack, with 73% being at least partially successful. Nearly three quarters (72%) of these same organizations reported paying a ransom for encrypted data, but only 16% of organizations that paid recovered all of their data. 

Furthermore, research by Palo Alto Network’s Unit 42 found that 70% of ransomware incidents also included data theft, not just encryption, in 2023 – up from approximately 40% in mid-2021.

Security pros may think they’ve prepared. They’ve taken immutable snapshots of data, hardened the infrastructure, deployed a SIEM, and gone all out installing other technology tools to protect against ransomware.

If bad actors encrypt production data and try to hold it hostage, the team has deployed the perfect, resilient response. But cybercriminals get a vote as well.  They’ve made their own shifts and investments in a perpetual cat and mouse game.

The attack vector expands

A particularly challenging type of cyberattack – termed “double extortion” ransomware – has grown in impact and prevalence. Traditionally, ransomware encrypts the victim's data. Attackers then demand a ransom in exchange for the data’s decryption key. And supposedly, once the company that’s attacked pays the “ransom,” the key gets handed over and the attack is resolved. That was then.

Now, we see a second level of extortion. The “double” refers to the fact that attackers don’t just demand payment in exchange for the decryption key but also threaten to publish the stolen data if companies don’t hand over the money. They double the pain to force the victim to pay. Double extortion ransomware attacks are increasingly common, and they are often very costly.

The challenge ahead

Battling double extortion ransomware has become exponentially more challenging than merely defending against an encryption event.

If security teams focus on minimizing the impact of encryption, they may prioritize infrastructure-driven efforts. This would let an organization have the proactive safeguards that help prevent attacks from happening in the first place. And make no mistake, it’s an essential part of strategic planning for cyberattacks and ensuring the organization has the right preparedness measures in place. But having the ability to restore the data doesn't help prevent it from being stolen. 

To gain true cyber resilience, focus on these seven ways to keep data secure:

  • Make data security an institutional priority: This may seem obvious, but we typically see a lot more focus on infrastructure and a lot less on data. Infrastructure security alone, while critical, has become insufficient. We must prioritize data security as part of a holistic cybersecurity strategy to effectively overcome modern cyberattacks.
  • Identify the most sensitive data: All data is not created equal, and if treated the same, then sensitive data may not receive proper evaluation. Is it intellectual property? Customer payment data? Patient data for healthcare organizations? Sensitive employee data like social security numbers and bank account numbers for direct deposits of paychecks? Data prioritization allows for much more effective defensive postures.
  • Find out who has access to the data: Are they the appropriate people and teams? Is multifactor authentication in place? Zero-trust comes into play here – a system architecture that assumes all users, devices, and applications are untrustworthy and are open to compromise.
  • Get rid of stale data: If nobody has touched the data in six months to one year, it’s worth questioning if it’s still needed. Older documents – while possibly important – can also hold risky data, so if it no longer serves a purpose, organizations may not need to hold onto it.  
  • Ensure the organization can view data moving across its environment: Typically, attackers move into one location, then another, then another. They’ll concentrate on an area and exfiltrate the data from it before moving on. That’s why it’s critical to have transparency into data movements and any other irregular activities. If the team can spot irregularities early, it can potentially shut down cyber criminals before they cause damage to data or the environment. This step has always been important, but in the modern, hybrid environments, the ability to see data movement across SaaS, Cloud, and on-premises has become vital.
  • Get ahead of data growth:  Most organizations are not prepared for the fact that they will have more data tomorrow than they have today – and are typically surprised by how much of that is sensitive data. They must not only track where the data moves, but also how it grows. Organizations should track the volume of data growth across their on-premises, cloud, and SaaS applications. Additionally, they should evaluate the sensitive data within and across each of these areas.  Finally, determine if data moves in the direction they think – whether it’s traditional data migration or else across approved workflows.
  • Designate a data owner: With all of this said, who’s responsible for overseeing their organization’s data? Employees often don’t know who’s responsible for setting and enforcing data strategy – and that’s because many organizations don’t have this role established. One business stakeholder should serve in this role, assess organizational risks, and present to leadership on a regular basis.

It’s imperative to have a data security solution that helps the organization identify sensitive data, where it’s located, and who has accessed it. And this becomes more challenging when the organization has a mix of on-premises, multi-cloud, and SaaS environments, each of which holds large volumes of unique data.

A sophisticated investigation tool that clearly and quickly identifies who has access to data, where that data lives, and what the data contains, offers a more holistic protection against double extortion ransomware as well as other kinds of attacks. With this comprehensive knowledge of the organization’s data, the team will have the power to limit the damage that outside malicious actors can wreak upon the business.

Steve Stone, head, Rubrik Zero Labs, Rubrik     

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.