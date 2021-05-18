“Double Encryption” Attacks: Computer security companies are detecting a new form of attack by cybercriminals using ransomware, the virus that hijacks information and demands payment. Even if the victim pays the ransom, the personal information is still blocked. And they demand a payment again.

Double encryption is not new, but it had a peculiarity: two different bands of ransomware attacked the same victim. Now it was found that the same gang can attack “twice”.

“Scenario: You paid the ransom, got the decryption tool from whoever threatened you and used it to get your files back … only to find that some or all of them are still encrypted. This is precisely the situation in which some companies find themselves ”, as explained by Emsisoft, a specialist in computer security.

“The groups are constantly trying to determine which strategies are the best, what brings them the most money. for the least amount of effort “explained Emsisoft threat analyst Brett Callow.

“In this approach, there is a single actor that implements two types of ransomware. The victim decrypts their data and discovers that it is not actually decrypted at all, ”he warns, explaining that they have to pay again.

Some victims receive two ransom notes at the same time, Callow explains. This means that cybercriminals want their victims know about the double encryption attack.

The problem is that in most cases victims only see a ransom note and only find out about the second layer of encryption after they have paid to remove the first one.

“Even in a standard single encryption ransomware case, recovery is often a nightmare,” says Callow. “But we’re seeing this double-encryption tactic often enough to feel like it’s something organizations need to be on. conscious when considering your answer. “

The two tactics they use

Two weeks ago they hacked an oil pipeline in the United States and the issue reached Biden. Reuters photo

There are two ways to proceed: in the first, the hackers encrypt the data with the ransomware A and then re-encrypt them with ransomware B.

The other path involves what Emsisoft calls a “parallel encryption” attack, in which the attacks crash some of the systems from one organization with ransomware A and others with ransomware B. In that case, the data is only encrypted once, but a victim would need both decryption keys to unlock everything.

The researchers also note that in this parallel scenario, attackers take steps to make the two different strains of ransomware look as similar as possible, making it more difficult for programs to report incidents. detect what is happening.

This is novel because it also contributes to the “business model” of cybercriminals who operate with gangs, as they use a revenue sharing system.

For a long time they have applied a system in which they rent the infrastructure to carry out attacks on different attackers who carry out more specific attacks: this is how they can divide the profits from extortion.

In general, experts always indicate not to pay ransoms, since this does not guarantee that the information will be returned, in addition to indirectly supporting the infrastructure of digital extortion by ransomware.

In general, they recommend having backups, since this double encryption does not affect the general rule of having information backup.

The problem is when it is threatened to spread confidential or sensitive information, as happened with the migration hack of September last year.

