27 Oct 2021
Posted in Thematic Research
The NCSC needs to talk up the double extortion ransomware threat, says GlobalData
Following the recent disclosure from GCHQ that ransomware attacks in UK have doubled in the last year;
David Bicknell, Principal Analyst in the Thematic Team at GlobalData, a leading data and analytics company, offers his view:
“The fact that UK ransomware attacks have increased is really no surprise. Ransomware is a global problem: the security challenge of our age.
“I’d like to see both GCHQ and the NCSC offering more practical advice. GCHQ discussing ‘red lines and behaviours’ and going after ‘links between criminal actors and state actors’ is of little practical use to UK organizations facing sophisticated ransomware threats.
“The NCSC should be talking up the growing threat of ‘double extortion’. It’s recently been suggested that 40% of ransomware campaigns now involve a form of double extortion. Rather than just encrypting files, double extortion ransomware exfiltrates the data first. This means that if the company refuses to pay up, information can be leaked online or sold to the highest bidder.
“Today’s ransomware – let’s call it Ransomware 2.0 – is not simply about encryption. Dell has described it as a ‘multi-modal attack campaign’ that also involves an attack on the brand reputation of the victim through naming and shaming. This usually includes select disclosure of exfiltrated data as a means of a proof of attack.
“This auctioning of exfiltrated data on both the dark web provides attackers with a secondary means of monetization of the original attack. The auctioning of data also enables further attacks against the initial victim or any individual/organisation whose data is included in the auctioned data-dump. User credentials, personally identifiable information, and other intelligence regarding network and systems topology and design can all be used in subsequent attacks.
“Organizations need to be aware that ransomware attacks are continually evolving. Backups can no longer be relied upon to save the day as exfiltrated data may still be auctioned.”