Grief Gang’s New Quadruple Extortion Scheme Doesn’t Change the Game

Imagine heading to work on a Monday morning. You stop at Starbucks on the way in for a little caffeine jumpstart. Traffic was bad—as usual, but you’ve seen worse. You sit down at your desk and bring your computer to life and find a message on the display letting you know your systems have been encrypted with ransomware. What do you do? 

If you’re like most organizations, one of the first things you do is contact local law enforcement, or the FBI. Many businesses will enlist the help of a professional negotiator to try and work out a deal with the attackers. Ransomware gangs would rather not involve anyone else, and now they are threatening to simply destroy your data if you notify anyone or seek outside help.

Quadruple Extortion

The entire concept of ransomware is based on extortion. Originally, ransomware was simply attackers encrypting your data so you can’t conduct business and holding the decryption key for ransom to extort money from you. 

That is single extortion. 

Companies adapted by getting better about backing up data. If you can just restore your own data from backups, there is no need to pay the ransom. Ransomware attackers responded by exfiltrating your data before encrypting it, and then threatening to leak or publish your sensitive data if the ransom is not paid. That is not a problem you can solve by restoring from backups.

That is double extortion.

Some organizations didn’t really care and would just restore from backups anyway and take the risk. Ransomware attackers shifted to offering the stolen data to competitors or investors who can short the victim company’s stock. You now have more incentive to pay the ransom to ensure your rivals don’t get your company secrets and prevent insider trading based on your sensitive data. The upside for the ransomware gang is they get paid by someone either way. 

That is triple extortion.

Now they have evolved again with a new approach. Grief Gang—which is believed to be connected to the Russia-based Evil Corp, and the Ragnar Locker ransomware group have both issued memos notifying victims that bad things will happen if law enforcement, data recovery experts, or professional negotiators are contacted. Basically, if the victim does not keep things strictly between them and the threat actors, the ransomware gangs will just leak or destroy their data. 

That is quadruple extortion.

No-Win Scenario

That is a lot of incentive to pay the ransom, yet research shows that it doesn’t pay to pay. Our study of more than 1,000 businesses showed that 80 percent of businesses that paid a ransom were hit by a second ransomware attack. On top of all of that, ransomware gangs are also actively recruiting your employees to help them launch attacks from the inside. 

Once your data is encrypted by ransomware and you are faced with the extortion demands, there really are no good choices. Every move—whether you pay the ransomware or don’t, whether you involve law enforcement or professional help or not—has the potential for serious negative consequences.

Just Don't Get Extorted

Ransomware gangs will continue to evolve new tactics and techniques. They are in the business of extorting money from victims, and they will find new ways to gain leverage and provide incentives for victims to hand over the ransom payment. With the right security, though, it doesn’t matter if the ransomware is double, or quadruple, or even octuple extortion. The solution is to not get extorted at all. 

The only good option is to stop the attack before your data is encrypted—before the attackers have any leverage at all. The problem for most organizations is that they still rely on ancient and outmoded point solutions that were designed to fight attacks from 20 years ago. These tools are not equipped to detect or stop the complex attacks of today.

You need the ability to view the entire malicious operation—or MalOp—and recognize Indicators of Behavior (IOBs) so you can detect and block ransomware attacks before damage is done. We are undefeated against ransomware because our operation-centric approach delivers effective protection against ransomware in all scenarios.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div