The dangerous new trick of ransomware is double encryption of data
Ransomware group has Always take A more-is-yes approach. If the victim pays the ransom and then business as usual, please hit them again. Or not just encrypt the target system?Steal their data first, so You might threaten to leak it If they do not pay back the money. What’s the latest upgrade? Ransomware The hacker simultaneously encrypts the victim’s data twice.
There have been two encryption attacks before, usually caused by two separate ransomware gangs harming the same victim at the same time. But anti-virus company Emsisoft said it has been aware of dozens of incidents in which the same actor or organization deliberately superimposed two types of ransomware.
“These groups are Keep trying to find the best strategy, They can make the most money with the least amount of energy. “Emsisoft threat analyst Brett Callow (Brett Callow) said. “So, with this method, you have only one participant to deploy two types of ransomware. The victim decrypted their data and discovered that it had not actually been decrypted at all. “
Callow said that some victims immediately received two ransom notes, which meant that hackers wanted their victims to be aware of double encryption attacks. However, in other cases, the victim will only see a ransom note after paying the fee to eliminate the first layer of fees, and only understand the second layer of encryption.
Callow said: “Even in the case of standard single encryption ransomware, recovery is usually an absolute nightmare.” “But we often see this double encryption strategy, and we think organizations should be aware of this when considering their responses. “
Emsisoft has identified two very different strategies. First, the hacker uses ransomware A to encrypt the data, and then uses ransomware B to re-encrypt the data. Another path involves what Emsisoft calls “parallel encryption” attacks, in which the attack uses ransomware to encrypt some of the organization’s systems. A and others use ransomware B. In this case, the data is only encrypted once, but the victim needs two decryption keys to unlock all content. The researchers also noticed that in this parallel situation, the attacker took steps to make the two different ransomware look as similar as possible, so it was more difficult for incident responders to figure out what was going on.
Ransomware criminal groups usually operate in the Revenue0Share model. In this model, a group builds and maintains a series of ransomware, and then leases its attack infrastructure to “subordinates” that perform specific attacks. Callow said that double encryption is suitable for this model. It allows a client wishing to launch an attack to negotiate a split with two gangs, each of which can provide a different strain of malware.
problem Whether to pay a digital ransom It is a difficult and important issue. Ransomware victims who choose to pay must be wary of the possibility that the attacker will not actually provide the decryption key. However, the rise of double encryption as a strategy increases the additional risk that victims can pay, decrypt their files once, and then discover that they need to pay for the second key again. As a result, the threat of double encryption makes the ability to restore from backup more important than ever.
Callow said: “Repairing from a backup is a long and complicated process, but double encryption does not further complicate it.” “If you decide to rebuild from a backup, then you will start again, so how much old data is encrypted It doesn’t matter at all times.”
For ransomware victims who initially did not have enough backups or did not want to spend time rebuilding the system from scratch, double encryption attacks pose another threat. However, if the fear of double encryption attacks makes it unlikely that the victim will pay in full, the attacker may withdraw from the new strategy.
More exciting wired stories