Managing Cybersecurity Risk for Small Government Agencies: Double Extortion Explained

Cybercriminals are increasingly targeting small public administration offices instead of large, federal-level targets.

High-profile ransomware attacks made international headlines during the COVID-19 pandemic.

 Cybercriminals abused the worldwide shift to remote work, extracting enormous payoffs from unprepared victims. These attacks on large national government agencies and critical infrastructure providers did not go unnoticed.

Today, many of these organizations have hardened their systems against ransomware attacks. The number of enterprise-level government agencies reporting ransomware attacks and data breaches has slowed down considerably.

 But according to Verizon’s 2023 Data Breach Investigation Report, over 20% of reported security incidents involved government agencies and public administrators. Nearly a quarter of these incidents involved ransomware.

 At the same time, the average ransom demanded during an attack has decreased significantly. However, the costs associated with recovering from ransomware attacks are increasing.

This suggests that cybercriminals have identified a new target: Small-scale public administrators and State, Local, Tribal and Territorial (SLTT) agencies.

Against SLTT Agencies Often Go Under the Radar

On May 7th, 2021, REvil locked Colonial Pipeline administrators out of the major critical infrastructure provider’s systems. The attack made headlines around the world and sparked a national emergency – everyone knew about it.

But when cybercriminals attempt to lock down the public infrastructure of a Rhode Island town with less than 30,000 inhabitants, the story doesn’t go beyond local news. Tens of thousands of attacks like these happen every year, but they largely go under-reported.

Threat actors know that enterprise-sized government agencies are now protected by a wide array of security technologies. They have deeply segmented networks guarded by next-generation firewalls and monitored with extensive Security Information and Event Management deployments. Pulling off a multi-million-dollar ransomware attack is riskier than ever before.

 But small government agencies can’t afford those kinds of security deployments. Cybercriminals see an obvious opportunity here. For them, the value of ten or twenty small-scale cyberattacks can add up to a similar payoff to one major attack.

 SLTT agencies are under the same pressure to protect citizens’ private data as large government organizations but have fewer resources at their command. Add in the fact that public administrators may neglect to report ransomware incidents – and that even reported incidents don’t make major headlines – and it’s clear why cybercriminals increasingly prefer small government targets.

New Attack Techniques: Double Extortion Makes Ransomware More Profitable

In a typical ransomware attack, cybercriminals begin by leveraging a phishing attack or a technical exploit to gain access to the victim’s network. Then they deliver the ransomware payload, which begins searching for and encrypting valuable files. Once it reaches a critical threshold, the ransom note appears and the attack is complete.

Double extortion follows the same structure and expands upon it. Instead of simply encrypting valuable data, cybercriminals exfiltrate the data and keep a copy for themselves.

This gives them new options. If they gain access to private data, they can threaten to publish that data online. Now they can demand an additional fee for not publishing sensitive user data – on top of the ransom they already demand.

Even if the organization successfully mitigates the ransomware attack, it may still feel compelled to pay to keep exfiltrated data private. Cybercriminals have effectively doubled their income stream.

How attackers exfiltrate data:

Unlike traditional ransomware attacks, double extortion attacks rely on exfiltrating sensitive data. That means attackers have to find a way to send valuable data off a protected network and receive it on a network under their control. There are a few different ways to do this:

●Automated Exfiltration involves the use of third-party software to automate the data exfiltration process. These tools can employ various methods for data transmission, ranging from unauthorized traffic duplication to the utilization of commercial FTP providers, making them versatile tools for cyber attackers.

●Traffic duplication uses mirroring to send sensitive data through compromised servers and devices. Many devices support mirroring as a native feature, often for things like network traffic analysis. Cybercriminals can manipulate this feature to send confidential data off the network.

● Data Transfer Size Limits utilize a method of exporting data to an external source in discrete, limited-size packets. This maintains a lower overall traffic volume, which helps avoid detection from security tools that are configured to identify high-volume data transfers.

●Scheduled Transfers involve programming data extraction to happen at specific times, such as during normal business hours. This technique is designed to camouflage outgoing data within regular traffic, making it more challenging to detect abnormal activities.

●Exfiltration Over C2 Channel involves the illicit transfer of data through an already established C2 channel. The data is encoded into regular traffic using the same protocol, effectively masking the data exfiltration process.

●Exfiltration Over Other Network Media leverage connections through Wi-Fi or Bluetooth for data exfiltration. Attackers can leverage any communication medium to exfiltrate data, including physical media. This approach often circumvents Internet-focused security protocols.

●Exfiltration Over Alternative Protocol leverages protocols that may not be the same as the one the attacker originally compromised, like FTP, HTTP, DNS, and others. Many systems allow users to transfer data across protocols directly from the command-line interface, providing a variety of options for data exfiltration.

●Exfiltration over Web Service happens when attackers compromise a legitimate external web service and use it to receive sensitive data. This may already be the case if attackers infiltrated the network through a third-party supply chain attack.

These attacks require cybercriminals to leverage additional resources and bypass traditional security controls like firewalls. However, the promise of a higher payoff has proven itself to be sufficient to motivate sophisticated hackers to make the attempt.

Small Government Organizations Need In-depth Visibility and Vulnerability Management

There is no way to effectively manage the risk of sophisticated double extortion attacks without a clear window into what your organization’s security risk profile looks like. Before you can secure data from exfiltration, you must identify and categorize the assets attackers may use to exfiltrate data in the first place.

This demands a new approach to data observability and vulnerability management. Small-scale government agencies must be prepared to address double extortion risks by leveraging AI-enhanced solutions like DarkTrace and Elastic. These tools play a vital role in the Security Operations Center (SOC) environment, providing analysts with deep visibility into where data is going, who is moving it, and why.

Maverc is a managed cybersecurity service provider that specializes in Cybersecurity Maturity Model Certification (CMMC) and Strategic Cyber security roadmapping for small government agencies and SLTT organizations. Find out how we can help your organization detect advanced double extortion attacks early and mitigate the risk of data exfiltration before serious damage is done.