Double Encryption – A Pain in the Side of Your Ransomware Recovery Efforts

laptop and mouse with wires tangled around a padlock

Ransomware actors are intent on complicating the recovery process for victims so that they’ll be more inclined to pay.Double extortionisan exampleofthisin action.ٲٲܱ can’t reverse data theft, after all. Ransomware actors can therefore use double extortionto create even more pressure for victims—even those with data backups—to pay the ransom.They can also leverage the technique to demand tworansoms, one for a decryption utility and the other for the deletion of the victim’s stolen data.

Even so, double extortion isn’t the only tactic by which ransomware actors are attempting to complicate victims’ recovery efforts. Some attackers are using an even more recent tactic called “double encryption.” Let’s investigate how this practice works below.

The Inner Workings of Double Encryption

First covered byin May 2021, double encryption is where ransomware affiliates choose to encrypt a victim’s data using two different strains of ransomware. Instances of double encryption generally take on one of two forms. In attacks involving layered encryption, for instance, malicious actors encrypt a victim’s data using the first strain before encrypting all that same information with the secondransomware. By contrast, side-by-side encryption leverages two ransomware strains simultaneously to encrypt different systems and data.

“The groups areconstantly trying to work out which strategies are best, which net them the most money for the least amount of effort,”notedEmsisoftthreat analyst Brett Callow, as quoted by. “So,in this approach you have a single actor deploying two types ofransomware. The victim decrypts their data and discovers it’s not actually decrypted at all.”

Double encryption isn’t a theoretical tactic. On the contrary,Emsisoftnoted that it’s seen instances of affiliates encrypting victims’ data using bothREvilandNetwalker. The security firm also came across some cases where attackers used theMedusaLockerandGlobeImposterransomware strains in tandem.

The Impact of Double Encryption

Double encryptioninjectsanother layer of encryption into a ransomware attack, as noted byEmsisoft,sometimescomplicating organizations’ recovery efforts. This is especially prevalent in instances involving side-by-side encryption, for some malicious actors design their ransomware attacks to append encrypted files with the same extension. In scenarios where a victim decides to pay, they might need to apply the decryption utilities provided to them on a trial-and-error basis.

Restoring from backups doesn’t require any more effort in an instance of double encryption than in a traditional ransomware attack, however.

“Remediating from backups is a long complex process, but double encryption doesn’t complicate it further,” Callow says. “If you decide to rebuild from backups,you're starting fresh, so it doesn't matter how many times the old data has been encrypted.”

The consequences of double encryption go beyond just complicating victims’ recovery efforts.As noted byEmsisoft, affiliates can use double encryption to increase their payouts by demanding ransom paymentsin connection with both ransomware strains. They can also leverage double encryption to compensate for instances where one ransomware strain doesn’t successfully deploy as well as to investigate which ransomware variant results in higher ransom payments—knowledge which they can use to stage future attack campaigns.

How to Defend Against Ransomware Actors Using Double Encryption

One of the best ways that organizations can shield themselves from instances of double encryption is to prevent a ransomware infection from occurring in the first place. One of the ways they can do that is by strengtheningtheiremail security posture. Towards that end, organizations can invest in anemail security solutionthat’s capable of scanning their incoming email messages for campaign patterns and other threat indicators in real time, thusallowing legitimate correspondence to reach its intended destination.Organizationscan also audittheir networks, software,andtheir email environmentsfor vulnerabilities to remediate anypotential security issues.