How to protect against double-extortion ransomware attacks
Posted: Friday, May 26

i 3 Table of Contents

How to protect against double-extortion ransomware attacks

Of all the cybersecurity challenges facing organisations today, one of the most pervasive is ransomware attacks.

According to research firm Statista, during the first half of 2022 there were a total of 236.1 million ransomware attacks worldwide. During these attacks, criminals attempt to gain access to an organisation’s central IT resources and encrypt data files. Payment of a ransom is then demanded before the files will be unlocked.

Recently, however, attackers have increasingly been adding an additional step in the process. Before data is encrypted, a copy is made which is then sent to another location. The victim is informed that, if payment is not made, these files will be made publicly available.

As well as the disruption and financial cost associated with traditional ransomware attacks, these so-called ‘double extortion’ strategies open victims up to reputational harm and a potential need to compensate clients and business partners.

The rise of Lilith ransomware
Recently there has been an increase in the use of a tool specifically designed to help cybercriminals mount double-extortion ransomware attacks.

Dubbed Lilith ransomware, it is a C/C++ console-based ransomware tool that has been designed to lock Windows machines via a double-extortion attack. The name comes from the fact that the tool renames encrypted files by adding a ‘.lilith’ extension.

Lilith ransomware targets 64-bit Windows system which are widely used in both the public and private sectors. Its usage has increased significantly since the shift to remote working that came as a result of the global pandemic.

Users and devices are no longer protected by a corporate firewall and so are more open to attacks. Users can be targeted via a phishing campaign which results in cybercriminals gaining access to centralised data.

The import role of SIEM platform
As a result of these constantly evolving and potentially very costly threats, increasing numbers of organisations are deploying security information and event management (SIEM) platforms. These platforms provide real-time analysis of security alerts and allow teams to respond much more quickly to suspicious activity.

A properly deployed SIEM platform can monitor objects and file changes that occur within an organisation’s IT infrastructure. This is particularly important when attackers are moving laterally through an infrastructure in search of sensitive data.

A SIEM can also allow initial responses to be automated. This can help to protect critical files until the security team has time to undertake a detailed assessment. The critical metrics of ‘time to detect’ and ‘time to respond’ can also be measured to ensure that response times are constantly improving.

Many security teams find that a SIEM can save them significant amounts of time whenever an incident occurs. By collecting and aggregating information from a range of different sources, the SIEM can streamline processes and ensure threats are countered as soon as possible.

Continuous vigilance
It’s clear that tools such as Lilith and double extortion techniques are here to stay and so it is important for organisations to be vigilant at all times. As well as having protective measures in place and a SIEM that can constantly monitor for suspicious activity, there are other steps that should be taken.

One of the most important is user education. All users must be aware of the threats being faced and the strategies that cybercriminals use to gain access to systems. Regular education sessions highlighting the impact of phishing campaigns are a must.

It is also important for organisations to undertake proper network segmentation. This will make it much more difficult for cybercriminals to move laterally through an infrastructure should they succeed at gaining initial access.

The security and IT teams should also ensure that critical data is regularly backed up and those backups stored in a different location. This will allow normal operations to be restored as quickly as possible following an attack.

The threats posed by ransomware are going to continue to be a significant challenge for organisations of all sizes. However, by being aware of the techniques being used and taking as many preventative steps as possible, risks can be reduced and disruptions avoided.

Michael Bovalino
Share This