Double Extortion Ransomware

Double extortion ransomware is a particularly dangerous and evolving form of cyberattack that has rapidly gained traction in recent years. Unlike traditional ransomware, which encrypts a victim’s files and demands a ransom for decryption, double extortion takes things a step further.

In addition to locking files, cybercriminals also exfiltrate sensitive data from the victim’s network and threaten to release or sell this information unless a ransom is paid. This added pressure intensifies the financial and reputational damage inflicted on organizations, making double extortion ransomware one of the most devastating cybersecurity threats today.

Effective defense against double extortion ransomware requires a multi-layered approach. Key strategies outlined in the guide include regular data backups, network segmentation, endpoint protection, advanced threat detection, and employee training. The guide also emphasizes the importance of incident response plans, enabling businesses to quickly identify and mitigate attacks before they cause irreparable harm.

Our guide offers in-depth insight into this emerging threat, explaining its mechanics, tactics, and the best strategies for defending against it. This type of attack is becoming increasingly prevalent, with threat actors targeting businesses across various industries, including healthcare, finance, and manufacturing, where sensitive data is particularly valuable.

The article explores how double extortion ransomware works, from the initial infiltration of a network through phishing emails or vulnerabilities to the final stages of data theft and encryption. It also discusses the motivations behind these attacks, which often include not only financial extortion but also the desire to damage an organization’s reputation and disrupt its operations.

As the threat of double extortion ransomware continues to grow, businesses must take proactive steps to protect their networks, data, and reputation. This guide provides valuable recommendations for strengthening defenses against this evolving form of ransomware and ensuring that organizations are better prepared to respond if an attack occurs.

The Evolution of Double Extortion

It all started in late 2019 with the first published double extortion ransomware case involving ransomware as a Service (RaaS) gang known as Maze (now defunct) and an American security systems and services provider known as Allied Universal. Maze was infamous for being the first to add doxxing to their ransomware attacks. When Allied Universal refused to pay the 300 bitcoin ransom demanded, the ransomware gang increased the ransom request by 50% and threatened to use their stolen identity in a spam operation. Additionally, the attackers published about 10% of the data they exfiltrated and gave Allied Universal two weeks’ request to pay up or have the remaining 90% of their stolen data exposed online. 

The Maze ransomware gang was reported to have exposed private information for many businesses and organizations that refused to comply with their demands. This helped to make double extortion a prevalent technique in the ransomware threat landscape. Such activity continued to grow over the rest of the year. Other strains soon followed, with the REvil/Sodinokibi attack—which crippled the UK foreign exchange companyTravelex. There are a lot of ransomware gangs that are very active and prosperous in the double extortion business. Some of the popular ones include Netwalker, DoppelPaymer, Conti,  Egregor, Nemty, and DarkSide. According to recent statistics, 77% of ransomware attacks involve the threat to leak exfiltrated data, and in 2022, double extortion ransomware is expected to grow even more. To make things worse, ransomware operators are now adding multi-level extortion techniques such as incorporating distributed denial-of-service (DDoS) attacks and other attacks directed at the victim’s customers, suppliers, or partners.

Multi-level ransomware extortion techniques
Figure 1.0 | Multi-level ransomware extortion techniques | Image Credit: Trend Micro

Why Is Double Extortion Happening?

Double extortion has gained prominence following the increased adoption of cloud data backups. After the devastating WannaCry and NotPetya ransomware attacks of 2017, most organizations tried to improve their data backup and recovery processes to achieve some level of resilience to ransomware attacks so that even if they lose access to their files, they could quickly restore from clean backups, and go about their businesses without the fear of being held, hostage. The effect of Covid-19 further accelerated the adoption of cloud services, including backup and recovery services. These improved security practices are giving organizations the boldness to say “No” to ransom payment in exchange for a decryption key.

Realizing the increased ransom avoidance,  cybercriminals, in turn, have also adapted their techniques in what seems like an arms race. Now, rather than just encrypting files, double extortion ransomware exfiltrated the files before encrypting them. Imagine malware that combines ransomware with doxware. This means that even if an organization refuses to pay up, their data can be leaked online or sold to the highest bidder. This suddenly renders all their data backup and data recovery plans somewhat valueless. By using double extortion, and the threat of data breach in addition to the potential for data loss, ransomware attackers can compel organizations to pay a ransom even if they can recover their data from clean backups. 

Who Is Vulnerable to Double Extortion Ransomware? 

Any organization that directly holds vast amounts of data or holds client, supplier, or partner information is vulnerable to double and multi-level extortion attacks. The most apparent targets include healthcare, financial, and other organizations that hold valuable personal information. 

A typical example is the ransomware attack that targeted Taiwan-based hardware supplier Quanta. According to reports, the ransomware gang REvil claimed that it had accessed the internal computers of Quanta and managed to obtain several images and schematics of unreleased Apple products and demanded Quanta pay $50 million for recovery of the files. When they refused to pay, the criminals decided to go after Apple for the money instead. Another example is the case that involved the Finnish physiotherapy provider Vastaamo. According to reports, about 10-gigabyte data containing private notes of patients and their therapists was leaked on a website on the dark web. Rather than just demanding a ransom from Vastaamo itself, the ransomware gang also made ransom demands directly to the thousands of Vastaamo patients whose records they were able to exfiltrate.

How Can You Mitigate Double Extortion Ransomware?

As is the case with most ransomware attacks, there is no guarantee that attackers will keep to their words if you agree to pay the ransom to avoid a data leak. So what should you do in situations like this? How can you mitigate double extortion attacks? 

First and foremost, it’s important to note that detection and response efforts, as much as necessary, will not be sufficient to deal with double extortion attacks, especially as many attackers wait until they exfiltrate and encrypt your data. By the time your detection tools alert you on ongoing malicious activities and attacks, they’re already in the middle of it. 

The threat of a double extortion ransomware attack is capable of destroying the brand reputation and customer confidence. Concerted Efforts must be made to prevent it from happening in the first place. Therefore, the best option is to focus on preventive measures. Conduct simulation attacks and penetration tests, and ensure that any existing security holes are patched as soon as possible so that attackers won’t be able to exploit those vulnerabilities. Provide regular security awareness training to your workforce, and ensure that security best practices such as the principles of least privilege and multi-factor authentication have been implemented across all users. If attackers breach an account, it will be difficult for them to move laterally around the network.