Double-Encrypting Ransomware
This seems to be a new tactic:
Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a “side-by-side encryption” attack, in which attacks encrypt some of an organization’s systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but a victim would need both decryption keys to unlock everything. The researchers also note that in this side-by-side scenario, attackers take steps to make the two distinct strains of ransomware look as similar as possible, so it’s more difficult for incident responders to sort out what’s going on.
Clive Robinson • May 21, 2021 10:48 AM
@ ALL,
Firstly, as crime is,driven by humans, it tends to follow an evolutionary pattern, so change was expected and has been seen several times with ransomware over the past year and a half,
1, Move from individuals to organisations.
2, Move to attacking organisations with individuals information such that exfiltration alows two attacks the basic ransomware on the orgqnisation then the doxing form of blackmail on individuals.
And a couple of other evolutionary changes as well.
What is not being obviously seen is the way money is being collected. In the past it was done by third parties acting on behalf of those that got their files encrypted so the payment was a “double tap of deniability” where you payed a recovery house who then payed the ransom on your behalf, pretending they had found some way to find the recovery key. Thus giving people their files back but with the deniabiliry of paying the ransom, which avoids certain jurisdictional legal issues.
This change suggests that the ransomware people want to “cut out the middle man” to get more of the money.
But there are also technical issues, you can rent rabsomware software, thus more than one attack group may pick on the same entity at or near the same time. Thus “toe-treading” might well have become an issue, thus there may be an element of arbitrage going on in the background.
As always “more details required” to be more specific on what is actially going on.