Double Extortion Ransomware

Ransomware attacks traditionally function by infecting targets with malware that denies victims access to their files by encrypting them and then demanding a ransom to unlock or decrypt the files. If the victim refuses to pay the ransom, they will be permanently denied access to their files.

However, in recent times, ransomware operators have come up with a new modus operandi that enables them to exfiltrate and steal the victim’s files before encrypting them. The stolen files are then used as leverage to get victims to pay the demanded ransom. If the victim fails to pay, the ransomware operators will make the stolen unencrypted files public to shame the victim or damage their reputation. This new strategy is called double extortion. 

Double extortion ransomware is a growing tactic among cybercriminals. It allows them to demand a ransom for the encrypted data and use the threat of leaking the stolen data to compel the victim to pay the ransom. Most ransomware operators even have a dedicated site on the open Internet or the dark web to leak or dump the stolen data. This means that ransomware is no longer just an attack on data availability but also on the confidentiality of data—a doxware attack. In the doxware attack, the attacker or malware steals the victim’s data and threatens to publish it unless paid. This combined attack on data availability and confidentiality (ransomware + doxware) mark a turning point in the ongoing evolution of ransomware. 

The Evolution of Double Extortion

It all started in late 2019 with the first published double extortion ransomware case involving ransomware as a Service (RaaS) gang known as Maze (now defunct) and an American security systems and services provider known as Allied Universal. Maze was infamous for being the first to add doxxing to their ransomware attacks. When Allied Universal refused to pay the 300 bitcoin ransom demanded, the ransomware gang increased the ransom request by 50% and threatened to use their stolen identity in a spam operation. Additionally, the attackers published about 10% of the data they exfiltrated and gave Allied Universal two weeks’ request to pay up or have the remaining 90% of their stolen data exposed online. 

The Maze ransomware gang was reported to have exposed private information for many businesses and organizations that refused to comply with their demands. This helped to make double extortion a prevalent technique in the ransomware threat landscape. Such activity continued to grow over the rest of the year. Other strains soon followed, with the REvil/Sodinokibi attack—which crippled the UK foreign exchange companyTravelex. There are a lot of ransomware gangs that are very active and prosperous in the double extortion business. Some of the popular ones include Netwalker, DoppelPaymer, Conti,  Egregor, Nemty, and DarkSide. According to recent statistics, 77% of ransomware attacks involve the threat to leak exfiltrated data, and in 2022, double extortion ransomware is expected to grow even more. To make things worse, ransomware operators are now adding multi-level extortion techniques such as incorporating distributed denial-of-service (DDoS) attacks and other attacks directed at the victim’s customers, suppliers, or partners.

Multi-level ransomware extortion techniques
Figure 1.0 | Multi-level ransomware extortion techniques | Image Credit: Trend Micro

Why Is Double Extortion Happening?

Double extortion has gained prominence following the increased adoption of cloud data backups. After the devastating WannaCry and NotPetya ransomware attacks of 2017, most organizations tried to improve their data backup and recovery processes to achieve some level of resilience to ransomware attacks so that even if they lose access to their files, they could quickly restore from clean backups, and go about their businesses without the fear of being held, hostage. The effect of Covid-19 further accelerated the adoption of cloud services, including backup and recovery services. These improved security practices are giving organizations the boldness to say “No” to ransom payment in exchange for a decryption key.

Realizing the increased ransom avoidance,  cybercriminals, in turn, have also adapted their techniques in what seems like an arms race. Now, rather than just encrypting files, double extortion ransomware exfiltrated the files before encrypting them. Imagine malware that combines ransomware with doxware. This means that even if an organization refuses to pay up, their data can be leaked online or sold to the highest bidder. This suddenly renders all their data backup and data recovery plans somewhat valueless. By using double extortion, and the threat of data breach in addition to the potential for data loss, ransomware attackers can compel organizations to pay a ransom even if they can recover their data from clean backups. 

Who Is Vulnerable to Double Extortion Ransomware? 

Any organization that directly holds vast amounts of data or holds client, supplier, or partner information is vulnerable to double and multi-level extortion attacks. The most apparent targets include healthcare, financial, and other organizations that hold valuable personal information. 

A typical example is the ransomware attack that targeted Taiwan-based hardware supplier Quanta. According to reports, the ransomware gang REvil claimed that it had accessed the internal computers of Quanta and managed to obtain several images and schematics of unreleased Apple products and demanded Quanta pay $50 million for recovery of the files. When they refused to pay, the criminals decided to go after Apple for the money instead. Another example is the case that involved the Finnish physiotherapy provider Vastaamo. According to reports, about 10-gigabyte data containing private notes of patients and their therapists was leaked on a website on the dark web. Rather than just demanding a ransom from Vastaamo itself, the ransomware gang also made ransom demands directly to the thousands of Vastaamo patients whose records they were able to exfiltrate.

How Can You Mitigate Double Extortion Ransomware?

As is the case with most ransomware attacks, there is no guarantee that attackers will keep to their words if you agree to pay the ransom to avoid a data leak. So what should you do in situations like this? How can you mitigate double extortion attacks? 

First and foremost, it’s important to note that detection and response efforts, as much as necessary, will not be sufficient to deal with double extortion attacks, especially as many attackers wait until they exfiltrate and encrypt your data. By the time your detection tools alert you on ongoing malicious activities and attacks, they’re already in the middle of it. 

The threat of a double extortion ransomware attack is capable of destroying the brand reputation and customer confidence. Concerted Efforts must be made to prevent it from happening in the first place. Therefore, the best option is to focus on preventive measures. Conduct simulation attacks and penetration tests, and ensure that any existing security holes are patched as soon as possible so that attackers won’t be able to exploit those vulnerabilities. Provide regular security awareness training to your workforce, and ensure that security best practices such as the principles of least privilege and multi-factor authentication have been implemented across all users. If attackers breach an account, it will be difficult for them to move laterally around the network.