Defeating Triple Extortion Ransomware: The Potent Combo of Ransomware and DDoS Attacks

As security leaders of an organization assess their risk profiles, there is a combination of three rampant and devastating attacks that CISOs need to be wary of. This new innovation from cybercriminals, known as triple extortion ransomware or ransom DDoS (RDDoS), is a potent combination of a ransomware program with distributed denial-of-service (DDoS) attacks.

This tactic is particularly effective because the use of DDoS attacks in conjunction with a ransomware attack creates an additional pressure point for the victim. Triple extortion methods are becoming increasingly popular among cybercriminals as they provide them with multiple ways to profit from a single ransomware campaign. 

What is a triple extortion ransomware threat?

In a triple extortion attack, cybercriminals use a three-pronged approach to extort money from their victims by:

• Infiltrating the targeted businesses systems with ransomware and encrypting sensitive information.
  

• Exfiltrating customer sensitive data before encrypting it using ransomware, and threatening the business with leaking or selling their sensitive data online.
  

• Disrupting the operations of businesses with DDoS attacks. Threatening a business  with DDoS attacks that are already impacted by a ransomware attack creates additional pressure on the business and forces the targeted victim to pay the ransom fee. 

Loss of access to critical data and systems

Combining DDoS attacks with a ransomware attack makes the triple extortion attack even more devastating to an organization. The use of DDoS adds another layer of complexity to an already stressful situation for an organization that is responding to a ransomware attack involving exfiltration and encryption of their data. 

DDoS attacks against a victim already under a ransomware attack can easily disorient security teams and make it more difficult for the organization to access their critical data and systems, and to respond effectively to the ransomware attack. Once the victim's network is down, the organization has no way to respond to the ransomware breach and restore their access. 

Loss of revenue

In addition to the damage caused by the ransomware, the victims also suffer loss of revenue from the downtime caused by the DDoS attack. This combined attack using triple extortion methods puts additional pressure on the victim to pay the ransom to get their network online or stop the attacker from posting the leaked information on the internet. 

The bottom line is the more pressure cybercriminals can put on a business, the better their chances of extracting the ransom payment. 

It is important to note that paying the ransom does not guarantee that the attacker stops targeting the victim with DDoS attacks or prevents the public exposure of sensitive information. It is generally not recommended to pay the ransom, as doing so only incentivizes cybercriminals to continue their attacks.

What is fueling triple extortion ransomware attacks?

Triple extortion attacks are becoming more common as cybercriminals look for new ways to maximize their profits. Along with the loss of their data and the availability of their services, the targeted victims are also faced with potential public exposure of sensitive information, which could have serious consequences for their reputation and business. 

Ransomware as a service

These combinations of multiple attacks are becoming easy to conduct since criminal organizations are offering them as a service anyone can use called ransomware as a service (RaaS). With RaaS, ransomware groups provide multiple capabilities that other threat actors can use to target a business with multiple attack vectors. 

For instance, instead of just encrypting the targeted business’s sensitive data, the attacker can use a variant of the RaaS to exfiltrate an organization’s data before encrypting it. This exfiltrated data can be sold on the internet or used to blackmail the targeted business into paying  a ransom. 

This combination of encryption and exfiltration of sensitive data is known as a double extortion ransomware attack. In the new triple extortion ransomware attack, the most popular RaaS groups have included DDoS attacks in their service, which can be leveraged as an additional extortion technique.

BlackCat

Recent examples of triple ransomware extortion include the targeted businesses by the BlackCat RaaS affiliate program. BlackCat, also known as the ALPHV ransomware gang, is known to exfiltrate a business’s information before they encrypt the data. If the business refuses to pay the ransom, the service provided by the ransomware group also includes DDoS attacks as an additional extortion technique to force the victim to pay. BlackCat is famous for posting stolen information on a dedicated website if the ransom demands are not paid.

AvosLocker 

AvosLocker is another RaaS group that uses triple extortion tactics. This group has targeted victims across multiple critical infrastructure sectors and other sectors, such as financial services. 

In 2022, the FBI issued a joint advisory detailing the tactics and various extortion techniques that this group employed. After being targeted, AvosLocker victims receive a phone call from an AvosLocker representative. The caller encourages the victim to negotiate the ransom and threatens to post stolen data online if the ransom is not paid. AvosLocker actors then put additional pressure on the victim to increase the ransom payout by executing DDoS attacks during negotiation.

Triple extortion attacks: an unfortunate success for ransomware groups

Triple extortion attacks have unfortunately been successful for many ransomware groups, as they’ve found that the threat of releasing sensitive data and a DDoS attack in addition to encrypting files can be a powerful tool for extorting ransom payments from victims. Most popular ransomware as service groups such as Killnet, DarkSide, and Lazarus use triple extortion methods to extort ransom payments from their targets. 

The bottom line is that increasing pressure on an organization using multiple attack vectors increases the likelihood of a ransom payment, making triple extortion ransomware an increasingly disruptive form of cyber extortion.

4 steps to defend against triple extortion ransomware attacks

The adoption of a Zero Trust security model with DDoS protection, along with the four recommendations that follow, will help protect your organization’s critical assets from ransomware attacks that use triple extortion tactics. It is important for organizations to have a cybersecurity incident response plan in place to respond to a potential attack. These response plans include communication protocols and steps for restoring systems and services in the event of a DDoS attack or a data breach.

1. Use cloud-based DDoS protection to maintain availability of services 

Using a cloud-based DDoS service acts as a single policy enforcement point for all your inbound traffic across your data center and hybrid cloud environments. Organizations can also opt for securing their assets behind a proxy-based service, which masks their internet-facing applications. If the application cannot be discovered, there’s no attack surface for the attackers to exploit.

Akamai Prolexic is a cloud-based DDoS service that can block DDoS attacks targeting  your assets in the data center or in the cloud. Akamai Prolexic solutions are origin-agnostic and enforce a single and uniform DDoS security posture for all your internet-facing assets.

2. Adopt a Zero Trust policy to stop ransomware

The adoption of a Zero Trust, or least-privileged access, policy is a key defense against the infiltration of an organization's system for the initial ransomware attack. Having a Zero Trust policy means that no user or application will be trusted by default. Every access request is treated as hostile until it has been authenticated and authorized. Access is granted to a user or a system based on the presented identity and context. And access is limited only to the resources for which the user has authorization.

Akamai enables organizations to adopt a Zero Trust policy with strong application access control with Akamai Enterprise Application Access.

3. Implement microsegmentation policies to  stop lateral movement

Preventing lateral movement is critical to limiting the damage that a cyberattack can cause. By limiting communication between segments, network microsegmentation can prevent an attacker from moving laterally across the network.

Akamai Guardicore Segmentation uses microsegmentation to isolate workloads and limit the lateral movement of attackers within a network. It also offers network visualization and analysis tools that can help organizations better understand their network and detect potential security risks.

4. Adopt a secure web gateway to stop data exfiltration  

A cloud-based secure web gateway solution that has sandboxing, in-line data loss prevention, and DNS protection capabilities can proactively identify and block access to malware command and control (C2) channels and ransomware drop sites. This prevents the attackers from exfiltrating and leaking your data on the internet by using ransomware.

Akamai Secure Internet Access Enterprise is a cloud-based secure web gateway that has in-line data loss prevention and DNS inspection capabilities. Akamai Secure Internet Access improves security defense by identifying DNS-based data exfiltration and proactively blocks requests to malware C2 channels, ransomware, and phishing drop sites.

Conclusion

Cybersecurity threats continue to evolve and become more sophisticated, and it's important for organizations to have a comprehensive and integrated approach to their cybersecurity defense program. Deploying security controls that are integrated by a single vendor can help streamline operations and make it easier to detect and mitigate threats.