Late in 2024, one of CYFOR Secure’s Incident Responders, was called in to assist a client facing a critical cyber–security incident: a double extortion ransomware attack.
What is a Double Extortion Ransomware Attack?
In a double extortion attack, cyber-criminals steal sensitive data before encrypting systems. Re-gaining access isn’t the only thing you need worry about during this type of attack. The attacker has more leverage to extort a bigger sum, as they have stolen your data, and can share this publicly if a larger amount is not paid. Here’s an analogy: The encryption is like changing the locks on someone’s house so they can’t get in. Only you have the key that would let them back in, which you’d be willing to give them – for a price. But, whilst you were in there, you took copies of all their financial bank statements, passwords for accounts, maybe some embarrassing photos. You can now demand an even higher price to not share these details publicly. Hence, double extortion.
The Initial Breach and Data Exfiltration
In this case study, the threat actor gained initial access through compromised credentials to remotely access a server that was insecurely exposed to the internet.
Once inside, the attackers used credential dumping tools on the organisation’s systems and deployed remote access tools to maintain persistent access. They also used “Anti-AV” tools to bypass security software.
Confirming Data Theft and Identifying the Method
Using a combination of host and network forensics, the CYFOR Secure team validated the threat actor’s claim of data theft. They identified the specific data stolen and determined that the stolen data had been transferred to a cloud storage account. Data from two of the organisation’s systems was copied in this manner.
Responding to the Threat: A Strategic Approach
The CYFOR Secure team deployed EDR (Endpoint Detection and Response) tools and configured them to block unauthorised access in the future, preventing further data exfiltration, as the organisation had no legitimate use case for the tool.
Our team then worked with the client’s legal partners to issue takedown requests to the cloud storage service hosting the stolen data. While there was a possibility the threat actor had copied the data elsewhere (such as blogs used by threat actors), initiating takedown requests was a crucial step.
Finally, once the stolen data was identified, the team worked with the client’s legal partners to categorise the data by content (particularly regarding the presence of personal data). This allowed the client to meet their legal obligations for data breach reporting, with particular regard to the UK General Data Protection Regulation (GDPR) and the Data Protection Act.
The Results: Averted Ransom Payment and Strengthened Security
Thanks to the quick and decisive actions of CYFOR Secure, and by providing the client the knowledge of exactly what data was at risk, the client successfully recovered business operations, strengthened their security posture, and avoided paying any ransom.
Key Takeaways
This sort of incident highlights the importance of proactive security measures and rapid incident response.
- – Proactive Measures: Robust security configurations and monitoring are essential to prevent initial breaches.
- – Incident Response Plan: Having a well-defined incident response plan allows for swift action to contain and mitigate the impact of an attack.
- – Expert Guidance: Engaging experienced cyber security professionals can make a significant difference in successfully navigating a ransomware attack and avoiding costly ransom payments.
What to Do If You Suspect a Double Extortion Attack
Contact CYFOR Secure immediately for expert incident response and data breach support. We can help you assess the situation, contain the breach, and minimise the impact on your business.
For general enquiries contact us here.