EXECUTIVE SUMMARY:

This ransomware ruse could result in double the danger and double the fees. Dozens of organizations have already seen damage. With this attack type, ransomware gangs can encrypt a target’s data twice, at the exact same time. Here’s what to know…

What is double encryption?

Double encryption can refer to a protective security method, involving multiple layers of data security. Alternatively, double encryption can refer to a type of ransomware attack scheme.

This is not the first time that we’re seeing double encryption ransomware attacks. They have popped up in the past. In the majority of cases, separate ransomware gangs managed to compromise and encrypt the exact same data at the exact same time. The double encryption effect was a coincidence. However, new campaigns involve intentional layering of ransomware, leading to double file encryption.

Double encryption, ransomware

“The [ransomware] groups are constantly trying to work out which strategies are best, which net them the most money for the least amount of effort,” says expert Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not actually decrypted at all.”

Targeted organizations may receive two ransom messages that describe the attack. Other hackers send only one ransom note, leaving targets to discover the second layer of encryption after providing payment to remove the first layer.

In standard ransomware cases, recovery can present significant challenges. The double encryption tactic means even more of a tangle for IT and cyber security professionals.

Two distinct tactics characterize these double extortion attempts:

  • Encryption with the first strain of ransomware and then re-encryption with the second strain of ransomware.
  • Encryption where half of an organization’s systems are locked up with “Ransomware A”, while the other half are ensnared in “Ransomware B”.

Revenue sharing model

Ransomware groups often leverage a revenue-sharing scheme. For example, one group may build and maintain a strain of ransomware that it sells to other attackers. Double encryption permits attackers to negotiate profit splitting with multiple gangs, ultimately heightening the attackers’ cash flow.

Paying digital ransoms

Should organizations pay ransoms? Check out Cyber Talk’s past coverage of this issue.

No matter how you slice it, paying a ransom comes with risk. Organizations that opt to pay for decryption should recall that hackers are not guaranteed to provide decryption keys.

The risk associated with ransom payments increases with double encryption. Victims ultimately pay two ransomware fees. As a result, there’s twice the chance that hackers could disappear and leave files encrypted.

Avoiding double encryption

  • Ensure that your organization maintains backups
  • Be sure to test out your ability to restore files from backups
  • Follow CISA’s recommendations regarding backup best practices.

Double encryption, national security threat

In the US, ransomware has recently been classified as a national security threat. Double encryption (double extortion) schemes could complicate ransomware prevention and remediation efforts. For more on America’s ransomware prevention initiatives, click here.

Double encryption backfires

​Could double encryption attacks backfire? Double encryption could render targets unwilling to pay extortion fees. Paying two $500,000 ransomware fees is more expensive than simply paying one. As a result, hackers may choose to reconsider the double encryption scheme.

For more on what a ransomware encryption attack could look like, visit WIRED.