Venafi has published the findings of a global survey of IT decision-makers looking into the use of double and triple extortion as part of ransomware attacks. The data reveals that 83% of successful ransomware attacks now include alternative extortion methods, such as using the stolen data to extort customers (38%), exposing data on the dark web (35%), and informing customers that their data has been stolen (32%).
Just 17% of successful attacks solely asked for a ransom in return for a decryption key, meaning that many new forms of extortion are now more common than traditional methods. As data is now being exfiltrated, having a back-up of data – while still essential for recovery from an attack – is no longer effective for containing a breach.
The data also shows that cybercriminals are following through with these extortions, often even after a ransom has been paid:
Almost a fifth (18%) of victims paid the ransom but still had their data exposed on the dark web
This is more than the 16% that refused to pay the ransom and had their data exposed
Almost one-in-ten companies (8%) refused to pay the ransom, and the attackers tried to extort their customers
Over a third (35%) of victims paid the ransom but were still unable to retrieve their data
“Ransomware attacks have become much more dangerous. They have evolved beyond basic security defenses and business continuity techniques like next-gen antivirus and backups,” said Kevin Bocek, vice president of business development and threat intelligence at Venafi. “Organizations are unprepared to defend against ransomware that exfiltrates data, so they pay the ransom, but this only motivates attackers to seek more. The bad news is that attackers are following through on extortion threats, even after the ransom has been paid! This means CISOs are under much more pressure because a successful attack is much more likely to create a full-scale service disruption that affects customers.”
When asked about the evolution of extortion in ransomware attacks, 71% of those polled believe that double and triple extortion has grown in popularity over the last 12 months, and 65% agree that these new threats make it much harder to say no to ransom demands.
This is creating problems for the industry. 72% of IT decision-makers agree that ransomware attacks are evolving faster than the security controls needed to protect against them, and 74% agree that ransomware should now be considered a matter of national security. As a result, 76% of companies are planning on spending more in 2022 on ransomware-specific controls due to the threat of double and triple extortion.
Wider than internal measures, two-thirds (67%) of IT decision-makers agree that public reporting of ransomware attacks will help to slow down its growth. A further 77% agree that governments should do more to help private companies to defend themselves from ransomware.
“Threat actors are constantly evolving their attacks to make them more potent, and it’s time for the cybersecurity industry to respond in kind,” explained Bocek. “Ransomware often evades detection simply because it runs without a trusted machine identity. Using machine identity management to reduce the use of unsigned scripts, increase code signing and restricting the execution of malicious macros are vital to a well-rounded ransomware protection.”