WOOF! Newsletter

August 13, 2020

2020’s Ransomware Attacks, Now with Data Theft

Just when you thought ransomware attacks couldn’t get any more insidious…now they blackmail you with your own data, take payment, and expose it anyway.


Here's some more bad news to add to the 2020 pile – ransomware is getting worse.

Ransomware attacks are up 20% from 2019.  The SonicWall Cyber Threat Report claims a record number of 187 million attacks last year, and we’re on track to beat that so far.

We don’t want your 2020 to get any worse, so please read on. Newer ransomware strains have added a secondary theft tactic that everyone should understand.

The new ransomware steals data off the computer while encrypting it, sending it to an off-site server. If you don’t pay up (and sometimes even if you do), they publish or auction off the data to other cybercriminals. The ransomware can even destroy all local backups – sabotaging your efforts at recovery.

We call this "Double Jeopardy," and it's what we're discussing in this WOOF.


How a "Double Jeopardy" Ransomware Attack Works

The typical ransomware attack goes like this:

  1. An employee clicks a link in a phishing email.
  2. Ransomware loads off the webpage that link went to.
  3. Ransomware infects the computer, encrypts the data it finds there, and displays the "Your computer has been encrypted" message screen.  Then it moves on to encrypt your entire network. Then it deletes all backups it finds on-site.
  4. You can either try to clean the ransomware off with special software, restore from backups, or pay the ransom to get a decryption key. Decryption is NOT guaranteed – less than 1/3 of organizations who paid in 2018 got their data back.

The "double jeopardy" comes in the middle of this process (during Step C above). The ransomware not only locks up the computer, but also steals data off of it and sends the data to off-site servers.

You don't know where those servers are, or what data they stole. Even if you restore from backups (if those are still viable) and get the computers back online (takes about 4 hours per machine), the stolen data's still out there.

Didn't pay the ransom? You run the risk of the data being sold on the Dark Web, leaked to competitors, sent to stock exchanges, or used in direct attacks. Bad stuff. Crippling for almost any business.

Information sources about this new behavior: KnowBe4, Trend Micro


Why Cybercriminals Added Data Theft to the Ransomware Toolbox

Why did the ransomware developers do this?  If a business doesn't have any money on hand, ransomware has fewer chances of getting money out of them. Like some twisted parody of "adapt and survive," cybercriminals have created a secondary moneymaking scheme in response.


5 Ransomware Strains with a "Double Jeopardy" Built In

Not all ransomware apps, or "Strains," contain data-theft coding within them. At time of writing (August 2020), we've seen the following strains doing this.



Maze pioneered the Double Jeopardy approach. Sometime in 2019 the ransomware began siphoning data out of victims' networks to use as leverage.

In April 2020 Maze hit Cognizant, a big IT provider in Texas. (This is one of the organization pumping H-1Bs into America, by the way.) The attack caused between $50-70 million in damage.

Source: TripWire



Ryuk is the favored ransomware of one gang called "Wizard Spider." It primarily targets enterprise companies, but they have gone after smaller organizations as well.

Ryuk demands payment in BTC (Bitcoin), anywhere from 1.7 BTC to 99 BTC (over $3 million!). In March 2020 it attacked Finastra, a financial technology firm. They were able to recover without paying the ransom, through backups and a temporary service shutdown.

Sources: CrowdStrike, Krebs on Security



This ransomware is outright nasty. It tries to block any other response…except for paying the ransom.

  1. It disables third-party backup processes if detected – including the process to send backups into the cloud!
  2. It can affect older computers as well, like those still running Windows 7/8.
  3. Continuous evolution; someone keeps refining Thanos.
  4. It can lock you out of your own user account.
  5. It even encrypts connected drives—like external hard drives you may use for backups.

Sources: Sentinel One, KnowBe4



Netwalker exploits COVID-19 fear/sympathy in its attacks. It has hit municipalities, universities, and healthcare organizations. Like Maze, Netwalker threatens to publish stolen data on the Web, unless you pay up.

Sources: TripWire 1, TripWire 2



So far REvil has hit businesses and ISPs of varying sizes. REvil also acts similar to Maze: It encrypts your data & demands a ransom, even providing proof of the data it’s stolen to use as blackmail.

REvil's creators backed up their threats and auctioned off victims' data to other cybercriminals in June 2020.

Source: Krebs on Security


4 "Don'ts" for Dealing with Double-Jeopardy Ransomware

  1. DON'T think you’re protected if you keep your backups on the same server, or on external hard drives.  As you read above, ransomware can get in and delete those backups!

  2. DON'T pay the ransom if you can possibly help it.

  3. DON'T assume that if you pay the ransom, you'll get your data back & everything will be fine. There's no guarantee you'll get your data back at all.

    Even if you do pay, ransomware can corrupt data in the encryption/decryption process. 90% of virtual machines encrypted don't come back. We've seen 25% data retrieval on employee devices…and that's AFTER a payout.

  4. Above all, DON'T assume you're too small to become a target. Some ransomware attacks start with a spray of malware-filled emails by the millions. One could easily land in your inbox.

    Other attacks start with random scans for Internet-facing ports...like the ports on your servers. Nine out of ten times we're called for a server infection, the ransomware got in through Remote Desktop Services – often left unsecured by negligent IT professionals.

The common thread? It doesn't matter how big or small the company. If it has email addresses and uses the Internet, it's fair game to a ransomware attack.


How to Prevent Ransomware Attacks (Normal and Double Jeopardy) from Happening in the First Place

Prevention is still the best cure for ransomware. Use these 7 tactics to help keep it away from your devices.

  1. Change passwords regularly.

    Password changes make it harder for cybercriminals to steal and sell your credentials. KnowBe4 recently found a black market with 15 billion user credentials for sale. A pair of working credentials (login & password) averaged under $100.

    Chances are the credentials from someone in your company is on the list. If you change your password, these credentials become worthless.


  2. Keep secure cloud backups in two locations, with versioning, for all workstations & servers.

    We beat on this drum a lot because it’s simply not optional anymore. In the event of an attack, if you do have cloud backups, you are up and “whole” in a day or two.  Without cloud backups, rebuilding your network could take a few days to a week (depending on its complexity)…but you may suffer total data loss.


  3. Test your cloud backups.

    Perform a backup test restore at least quarterly. Testing monthly is even better.  Why?  So you're sure the backups will restore properly when needed.  Knowing you have regularly tested and valid backups provides peace of mind for business owners.


  4. Train your employees on how to recognize & avoid ransomware attacks.

    Sixty percent of the time, the cyberattacks get in through employee actions responding to phishing emails. It's not malicious; the employees don't recognize it as an attack. The linked report says 58% of survey respondents have seen an INCREASE in phishing attacks this year—which means cybercriminals know where the 'weak spot' is.

    Training helps everyone spot the signs before they click a link. It's a low-cost way to avoid a lockout/blackmail attempt.  Our Cybersecurity Kung Fu for Today’s Computer User program covers the necessary training.


  5. Implement email filtration.

    If you use Office 365 or a hosted Exchange Server for your email, set up email filters. Filters keep the ransomware emails from ever reaching employee inboxes. We use modusCloud to do this.


  6. Deploy endpoint protection.

    This is software that uses behavior algorithms to determine whether any traffic – like a website request or an incoming email – behaves like malware. If it does, the endpoint protection quarantines it before it ever gets to a computer/phone/tablet. It's a more sophisticated protection mechanism. We use the Sentinel One AI platform.


  7. Perform regular network vulnerability scans.

    Have a professional IT firm that deals with security perform a network vulnerability scan on your network (including all devices connected to it). They'll recommend a roadmap for limiting cyberattack risks. It will pay for itself.


The Best Defense Against Ransomware Attacks: Assume You're a Target and Act Accordingly

Cybercriminals don’t discriminate. They target small business a lot. We helped two small companies with ransomware attacks in the past 30 days.  The business damage and disruption was heartbreaking.

Avoiding this scenario is as simple as having PlanetMagpie setup and maintain your cloud backups & email filtration, review your endpoint protection, and schedule regular network scans.  All preventative. All effective.  All affordable.


To start building a ransomware defense, visit our Cybersecurity page.