Ransomware is evolving, and it’s becoming more harmful and harder to stop. Triple extortion ransomware, also known as doxware, doesn’t simply look for payment in exchange for your sensitive information. This is where ransomware and doxware differ. Doxware’s goal is to leak your information to the public or dark web, causing you long-term financial and reputational damage.
Doxware attacks occur like many other ransomware attacks – nearly 95% are via email. The major problem with this is that, while email has filters running at all times, only one in 3,000 attempts are using malware that is known, and only one in 4,000 of those emails have ever been seen by anyone else. There are three primary ways in which triple extortion doxware hackers can infiltrate your system:
- A DDOS attack: Flooding a network with a large amount of malicious information that the networks cannot operate normally.
- File encryption: Encoding data so that only users with the de-encryption key have access to it.
- Data theft: Getting into a private system, through the use of weak passwords, outdated security, or otherwise, to poach private information.
How Does Triple Extortion Doxware Spread?
Over the years, companies realized that with traditional ransomware attacks, they could refuse to pay the ransom, allow the hacker to wipe their data, and simply restore that data from an external backup. The trouble with doxware, though, is that the attacker is not just looking to wipe your network and cause downtime, they’re looking to publicize your private conversations, photos, and files. A clean sweep of your network won’t do the trick here, which is why many companies end up paying the ransom to their attacker, providing further incentive for doxware attackers to keep going after companies.
A History Of Doxware
The first documented triple extortion ransomware attack was on the Vastaamo clinic attack in October 2020. Vastaamo was a Finnish psychotherapy clinic that suffered, and covered up, a cyber attack on their patient record system in 2018. This, however, was not the doxware attack that led to their eventual bankruptcy.
After this cyber attack in 2018, then owner Ville Tapio sold Vastaamo in 2019 to an investment firm. Both Tapio and the investment firm failed to disclose this data breach to their clients. It wasn’t until late 2019 that Vastaamo’s patients started getting malicious doxware emails, threatening to disclose their psychotherapy history if not paid in Bitcoin. This attacker had gained tens of thousands of patient records, all of which included private session notes and social security numbers.
The effects of this attack were long lasting, and are still felt to this day. Ten million euros worth of personal assets were seized from Tapio, and Vastaamo was liquidated and ceased operations due to financial and operational strain. Thousands of patients were blackmailed, and their personal information ended up on the dark web. Nearly the only positive to come out of this scenario, is that Vastaamo’s clinicians were able to transfer to Verve, another psychotherapy company.
It’s hard to say whether or not this could have been prevented had the initial breach been handled differently. The Vastaamo Clinic attack set the precedent for all triple extortion doxware attacks to come.
Who Is At Risk Of A Triple Extortion Doxware Attack?
While any company or organization is susceptible to triple extortion doxware attacks, data shows us that nearly 50% of all attacks that happen are directed at CAD data and creative departments. CAD is an organization’s most critical intellectual property, including engineering, marketing proposals, designs, and so much more. That’s why a CAD doxware attack can be so harmful to an organization. Let’s take a CAD design for example. In the hands of a doxware attacker, that design can be sold to interested foreign countries and direct competitors. Now, you’re down precious IP and a likely large sum of money, while the attacker and a competitor are up financially and in valuable CAD data.
The costs of a doxware attack reach far beyond just money and IP. The residual effects of this kind of attack can be detrimental to any company, no matter the financial security. Even if your organization can withstand a triple extortion doxware attack, these lasting effects could severely impact your future.
A history of poor doxware and ransomware attack prevention will be apparent to your customers. The fact of the matter is that with a severe doxware attack, not only is your organization’s information at risk, but your customers’ is too. Once their personal data is threatened, they will likely have a hard time trusting in your organization.
Companies are holding cells for sensitive personal information, and attackers are keenly aware of this. It is not solely up to your IT or HR teams to protect your employee information. It takes an effort made on all parts to uphold good cybersecurity practices to prevent attacks.
Dependable suppliers are invaluable to a successful business. However, no supplier will stick with an organization if it means their intellectual property, operational information, or otherwise, are at risk. By not having a solid ransomware attack prevention strategy in place, you risk not only an attack but losing reliable partnerships.
Protection From Triple Extortion Doxware
The reality of doxware is that the only way to protect against it is to prevent it. Once an attack has infiltrated your network, it’s nearly impossible to stop the attacker from sharing your sensitive information. There is so much at risk in a doxware attack: CAD files, personal information like social security numbers, partnerships, and more. That’s why we recommend employing all of the following tactics to protect your organization from an attack.
Keep your System Up To Date
At an absolute minimum, you have to be sure that your firmware and all of your patches are up to date for security. You also have to make sure that this just doesn’t maintain within your own systems, but of all of your employees’ mobile devices. The same goes for cloud users. It’s important that you don’t get a false sense of security that the cloud provider is going to be the protector of your data – stay up-to-date with their policies and strategies so that you always have the upper hand.
Train Your Personnel
Your IT team shouldn’t be the only ones that can identify the signs of an attack. The first step in fighting against triple extortion ransomware is having a detailed cybersecurity plan that includes ample training for all employees, regardless of their department or title.
Regularly Back Up Data
Should an attacker get hold of your sensitive data, you run the risk of losing it forever. Backing up your data to an external source allows you to restore all information, conversations, photos, and designs immediately. While this doesn’t protect against the sharing of that data, you won’t be working from the ground up to restore operations.
Encrypt Your Data
Data encryption ensures that even should an attacker gain access to your information, they won’t be able to understand it and cannot share it with anyone. It is crucial, though, that the de-encryption key stays private and highly protected.
Utilize A Zero-Trust Network
A zero-trust network is truly the only way to be secure. This kind of system runs on the assumption that the minute you start believing that you’re secure, you have a security gap. With more remote work and devices than ever, your protection should be baked into each piece of data, not just into your network or devices. Zero-trust means that even if the attackers get into your secured network, they don’t instantly have access to individual files. Building this wall around each file is an incredibly trusted ransomware attack prevention strategy.
Triple extortion ransomware is evolving every day. It’s imperative to stay vigilant and educated on this topic now more than ever. Learn more about ransomware today.