How to Prevent Ransomware Attacks at the Earliest Stages

Ransomware attacks are one of the most challenging threats organizations face today. At the same time, it is difficult, if not impossible, for private-sector Defenders to draw a clear distinction between attacks supporting nation-state geopolitical interests and a good deal of the more complex ransomware attacks we see today.

These more complex ransomware operations, or RansomOps™, involve highly targeted, complex attack sequences by sophisticated threat actors. Unlike early iterations of ransomware attacks that relied on "spray-and-pray" tactics to infect large numbers of victims while seeking relatively small ransom demands, RansomOps attacks are much more intricate and akin to the stealthy operations conducted by nation-state threat actors. 

RansomOps are typically low-and-slow attacks that seek to remain clandestine and spread through as much of the target network as possible before the ransomware payload is delivered to encrypt systems and a ransom demand is issued. Recently, Cybereason CEO and co-founder Lior Div went over several different layers of extortion that ransomware threat actors are using these days to put additional pressure on their victims to pay up:

Single Extortion

Every ransomware strain stretching all the way to the AIDS Trojan back in 1989 have used the same general application of extortion—that is, they’ve all sought to disrupt a target’s normal workflows as leverage to force payment of the ransom demand. 

Some ransomware gangs have done this by preventing a user from interacting with their mouse and keyboard, or other means of disabling a device, effectively locking their computer. Others have sought to encrypt victims' files and thereby render that data inaccessible. 

Both tactics are designed to pressure the victim into contacting the ransomware authors and submitting to their demands for a ransom payment, which usually, takes the form of transferring money in the form of cryptocurrency like Bitcoin to a wallet controlled by the attackers. 

This strategy was largely successful unless victims were able to recover their impacted files by means of data backups, meaning they did not have to depend on the attacker to provide them with a decryption key in order to restore their systems to normal operation. That is, until the attackers countered with clever new tactics to force payment even when data backups are available.

Double Extortion

As a ransomware technique, double extortion is still relatively new at just over two years since it was first documented. In double extortion schemes, the attackers exfiltrate a victim’s sensitive data prior to the ransomware initiating the encryption routine. This strategy enables attackers to better enforce the ransom payment demands in exchange for a decryption key under threat of releasing the exfiltrated data publicly. 

While data backups are always a good practice, especially considering many organizations who paid a ransom demand either did not receive a decryption key or the decryption process corrupted their data (see report: Ransomware Attacks and the True Cost to Business), this tactic largely renders data backups ineffective as a primary defense against a ransomware attack, .

The way attackers leverage double extortion varies widely from one group to the next. While some might be more ad hoc in their demands, for instance, others take a more streamlined approach. Perhaps no group better embodies the latter methodology than the BlackMatter ransomware gang. 

In November of 2021, the operators of BlackMatter began using Exmatter, a custom tool which affiliates of the BlackMatter’s Ransomware-as-a-Service (RaaS) program can use to easily target data of value. SecurityWeek noted that Exmatter is specifically designed to steal data of specific file types and upload them to servers under the attackers’ control. The tool thus saves time and enables attackers with even low levels of technical expertise to engage in double extortion.

Triple Extortion

This tactic emerged in November of 2021. As reported by Threatpost, triple extortion involves ransomware gangs targeting confidential financial information, or intelligence around initial public offerings (IPOs) or mergers/acquisitions, or other privileged information that–if made public– could hurt the target organization. 

The idea behind triple extortion is that the attackers can steal sensitive information pertaining to those events and then threaten to release it to competitors or rogue short-sellers unless they receive a ransom payment. This tactic puts even more pressure on the victim organization to pay the ransom demand even if they have the means to recover the encrypted data.

Quadruple Extortion

A final layer of extortion referenced by Div was quadruple extortion. As he explained in his blog post, Quadruple Extortion first entered the ransomware threat landscape with the Grief Gang and the Ragnar Locker ransomware gangs. 

Both of those ransomware operators threatened to leak or destroy their victims’ data not only if they didn’t pay the ransom, but also if they contacted law enforcement, data recovery experts, or professional negotiators for assistance. Combined, these additional extortion tactics allow RansomOps attackers the ability to demand ever larger ransom amounts.

Defending Against RansomOps

It’s important to note that additional methods of ransomware-related extortion have emerged since Div wrote his post. For example, Bleeping Computer wrote that the HelloKitty ransomware gang has begun threatening to launch distributed denial-of-service (DDoS) attacks against a victim’s public-facing website unless they agree to pay the ransom.

This ongoing evolution of the ransomware threat landscape highlights the need for organizations to get strategic with their RansomOps defense. Specifically, it underscores the importance of an operation-centric approach to RansomOps prevention where organizations detect attacks early in the attack sequence and end the attack before any data exfiltration or encryption can occur. 

Cybereason Predictive Ransomware Protection detects the earliest signs of a ransomware operation and delivers automated prevention within milliseconds. With the ability to block obfuscated ransomware by leveraging AI-driven behavioral analysis on the endpoint in addition to encryption prevention, a rollback capability, and unparalleled visibility from the kernel to the cloud-- Cybereason Predictive Ransomware Protection represents the most capable ransomware defense available on the market.

Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting every customer from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture, and every other known ransomware family.

Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed