Back in December 2020, we published the first part of our Expert Explanation on double extortion titled, ‘Double Extortion – Ransomware at Another Level’ and discussed the term ‘Double Extortion’ and what it meant.  To refresh your memory, attacks using ‘Double Extortion’ target companies by hacking their infrastructure and systems, extracting their files (to use as leverage), then encrypting their network and/or devices before demanding a ransom in cryptocurrency.  Like most ramsons, if it is not paid, the criminals, or in this case the cybercriminals wreak their havoc and leak the data to the public.

Like all ‘good’ cybercrime, it seems double extortion is being stepped up.  A new trend has emerged where hackers are now calling their victims after a ransomware attack. As if a plain old Double Extortion wasn’t enough, criminals are now going the extra-mile and cold-calling the victims who have not paid the ransomware fee.  They do this as soon as they realise that those companies are trying to recover the lost data through a backup.

On the 10th December 2020, the US Federal Bureau of Investigation (FBI) Cyber Division, sent out a PIN Alert (Private Industry Notification), advising of incidents where attacks using the DoppelPaymer ransomware were being followed up by ransomware gangs who were cold-calling companies in order to intimidate and coerce victims into paying their ransom demands.

The reason behind the why the FBI send out these PIN Alerts, is to provide data to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors.  So if you receive a PIN Alert from the FBI chances are you should take it very seriously.

Below is an example from the FBI PIN Alert:

“Doppelpaymer is one of the first ransomware variants where actors have called the victims to entice payments. As of February 2020, in multiple instances, DoppelPaymer actors had followed ransomware infections with calls to the victims to extort payments through intimidation or threatening to release exfiltrated data.”

The FBI alert also provides an example of an incident where the ransomware gang intensified their threats by bring company employees and their relatives into the mix.  For example:

“In one case an actor, using a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom. During subsequent telephone calls to the same business, the actor threatened to send an individual to the home of an employee and provided the employee’s home address. The actor also called several of the employee’s relatives.”

Now it’s one thing to get an email or have a ransomware message pop-up on your computer from an anonymous attacker, but it’s a whole different ball game if the extortionist knows where you live and how to contact your family.  It’s important to note that, while a ransomware gang may be quite happy to publish files they’ve stolen from your network, it’s unlikely they would follow through with physical threats.

The FBI advises victims not to pay ransoms to criminal actors, as this only encourages more attacks in the future. They urge organisations to report ransomware incidents to the FBI’s Internet Crime Complaint Center (IC3), even if they have decided to pay the ransom. They recommend that businesses create secure backups and regularly monitor their systems for data breaches.

In a related article, Technology experts, ZDNet shared a redacted transcript of a recorded phone call made on behalf of the Maze ransomware gang, and posted the spiel the hackers used when calling their victims.

“We are aware of a 3rd party IT company working on your network. We continue to monitor and know that you are installing SentinelOne antivirus on all your computers. But you should know that it will not help. If you want to stop wasting your time and recover your data this week, we recommend that you discuss this situation with us in the chat or the problems with your network will never end.”

It is believed that various ransomware gangs, such as Sekhmet (now obsolete), Maze (now obsolete), Conti, and Ryuk, are all using the same outsourced call centre (a kind of ‘Extortion-as-a-Service’ facility) to make calls on their behalf, since the calls have similar content across multiple attacks.  The callers will more than not have non local accents indicating they are calling from an international location.

These gangs are just some of many ransomware gangs that operate “leak sites” where they publish data stolen from companies, as a form of punishment for refusing to pay the ransom.

At FraudWatch International, our Dark Web analysts, came across a similar incident, where criminal groups call companies in order to notify them that their network has been compromised. Galstan & Ward Family and Cosmetic Dentistry (a dental clinic in Georgia, US), was hit by a ransomware attack between the 31^st August and 1^st September 2020.  They only became aware of the issue, after the hackers called them to notify them of the intrusion into their network. Files were found on the Dark Web, but apparently no patients’ data was breached.