In today’s ever-changing world, just one thing is guaranteed. Ransomware assaults have turned into a lucrative business. Attack patterns are always changing, which brings us to today’s topic: double encryption.
About Double Encryption
A defensive security solution incorporating multiple layers of data security is referred to as double encryption. Double encryption can also refer to a specific form of ransomware attack.
This isn’t the first time we’ve seen ransomware with two levels of encryption. They’ve been seen in the past. According to security firm Emsisoft, separate ransomware groups managed to compromise and encrypt the exact identical data in the vast majority of cases. The fact that there was a double encryption effect was purely coincidental. New campaigns, on the other hand, layer ransomware on top of ransomware, resulting in double file encryption.
Two ransom notes describing the attack may be sent to the targeted organisations. Other hackers just send a single ransom note, leaving recipients to figure out how to decrypt the second layer of encryption after paying to decrypt the first.
Nightmare Scenario
Recovery in normal ransomware scenarios can be quite difficult. For IT and cyber security specialists, the double encryption strategy adds more to the confusion. This also ensures that threat actors will have a better chance of obtaining ransoms. Furthermore, deploying many ransomware strains increases the likelihood of success.
It isn’t particularly beneficial to pay. Recovery is difficult even with decryptors given by the threat actors. There is a significant risk of data corruption while using single encryption. In the event of double encryption, the risk is multiplied by two.
Decryption is a time-consuming process that necessitates manual involvement. As a result, incident responders are forced to switch between a variety of poorly coded tools.
The Concept
The hackers can go one of two ways: first, they encrypt the data with ransomware A, then re-encrypt it with ransomware B.
The third method is what Emsisoft refers to as a “parallel encryption” attack, in which ransomware A crashes part of one organization’s systems while ransomware B crashes others. The data is only encrypted once in this example, but a victim would require both decryption keys to decipher everything.
In this parallel scenario, attackers take effort to make the two different strains of ransomware appear as identical as possible, making it more difficult for programs to notify occurrences, according to the researchers.
This is unique in that it contributes to the “business model” of cybercriminals who work with gangs and use a revenue sharing mechanism. They have used a scheme for a long time in which they rent the infrastructure to carry out attacks on different attackers who carry out more targeted attacks: this is how they divide the extortion revenues.
Recommendations of Security Experts
Security experts generally advise against paying ransoms since it does not guarantee that the information will be released, and it also supports the infrastructure of digital extortion by ransomware indirectly. The issue arises when confidential or sensitive information is threatened, as was the case with the migratory hack in September of last year.
Security experts encourage having backups in general because the double encryption has no effect on the overall norm of maintaining backups.
An organization can opt to rebuild secure data from backups if they are backed up properly. As a result, old data encryption is no longer necessary. Thus, enterprises must preserve a backup of all data in order to quickly recover from a double encryption ransomware attack.
This may be one of the most recent trends in the ransomware landscape, but it is far from the last. As a result, businesses must adopt effective defensive tactics.