Double-extortion ransomware exfiltrates data as well as encrypting it. The idea is that if the victim declines to pay the ransom (eg, because they are able to recover the files through internal processes), they can be extorted to prevent their data being released to the public.
The industries most commonly targeted in this way were manufacturing (12.7%), services (8.9%), transportation (8.8%), retail and wholesale (8.3%), and technology (8%).
In late 2020, Zscaler ThreatLabz noticed the addition of synchronised DDoS attacks, overloading victims' websites and putting additional pressure on them to pay up.
"Over the last few years, the ransomware threat has become increasingly dangerous, with new methods like double extortion and DDoS attacks making it easy for cybercriminals to sabotage organisations and do long-term damage to their reputation," said Zscaler CISO and vice president of security research Deepen Desai.
"Our team expects ransomware attacks to become increasingly targeted in nature where the cybercriminals hit organisations with a higher likelihood of ransom payout.
"We analysed recent ransomware attacks where cybercriminals had the knowledge of things like the victim's cyber insurance coverage as well as critical supply-chain vendors bringing them in the crosshairs of these attacks.
"As such, it is critical for businesses to better understand the risk ransomware represents and take proper precautions to avoid an attack. Always patch vulnerabilities, educate employees on spotting suspicious emails, back up data regularly, implement data loss prevention strategy, and use zero trust architecture to minimise the attack surface and prevent lateral movement."
ThreatLabz analysed over 150 billion platform transactions and 36.5 billion blocked attacks between November 2019 and January 2021 to identify emerging ransomware variants, their origins, and how to stop them.
The five most common malware families during the last year were Maze/Egregor (seemingly ceased operations in November 2020), Conti, Doppelpaymer (often demanding large ransoms), Sodinokibi/REvil/Sodin,and DarkSide (ransomware-as-a-service).
The ThreatLabZ Ransomware Review: The Advent of Double Extortion" is available for download (registration required).
Zscaler's virtual event Zenith Live (free registration) will include a presentation by the ThreadLabZ team on advances in ransomware.