What are Double and Triple Extortion Ransomware Attacks

Ransomware groups are demanding payment in exchange for not leaking your data, but they may still expose it anyway.
Ransomware Double Extortion

The last few years have seen a dramatic rise in high-profile ransomware cases, leading CISOs to bump ransomware planning to the top of their list of initiatives. However, just as companies have adapted to guard against this threat, ransomware gangs have adapted in turn, employing additional layers of extortion focused on exposing customer data.

A traditional ransomware attack is based on the premise that organizations will pay a ransom in exchange for the safe restoration of their data, which has been hijacked and encrypted. Companies will pay the ransom to restore network functionality and reduce downtime. As ransomware attacks have become more prevalent, however, security teams have worked to mitigate the impact that loss of data has on their businesses. Measures such as secure off-site backups and division of key network segments have rendered standard ransom-for-data attacks less effective.

What is a Double Extortion Ransomware Attack?

Here is where double extortion comes in. In a double extortion attack, the attacker exfiltrates data they wish to use as leverage and then launches the encryption attack. The attacker then threatens to expose the data, which could mean selling customer personal information or intellectual property of the victim company.

Double extortion attacks were first employed by the Maze ransomware group in 2019 and have been adopted by an increasing number of ransomware gangs since. A 2021 report from Group-IB notes an increase of 935% in the number of companies that have had their data exposed on a data leak site, indicating that these threats are not empty.

In fact, even organizations that have paid the ransom to preserve their data have seen it leaked. One actor gaining an increasingly bad reputation for reliability is the Russian ransomware-as-a-service group, Conti Ransomware Gang, who have been identified as providing fake file deletion proof and uploading data leaks to their site, Conti News, despite having received the ransom payment from their victims.

What is a Triple Extortion Ransomware Attack?

As payouts from ransomware continue to skyrocket, attackers are getting creative, initiating a string of follow-up attacks to rake in additional funds. In a triple extortion, not only do the attackers demand payment from the initially compromised company, but they also demand payment from those who may be affected by the leaking of that company’s data.

Triple extortion hit the news in 2020 after individual patients of Finnish mental health provider, Vastaamo, were sent ransom demands related to the release of their patient records. Patients had discussed deeply private matters in these therapy sessions and had a vested interest in these records remaining private.

Triple extortion can also involve additional attacks launched against the original target if they refuse to pay the ransom. For example, if a company has been able to restore from backups and are not negotiating, the bad actors may initiate a distributed denial-of-service attack to apply additional pressure.

Preventing Double or Triple Extortion Ransomware Attacks

It is important to have a comprehensive ransomware resilience plan that addresses preparation, prevention, and response in the event of an attack. Here are a few tips for preventing double/triple extortion attacks that you can incorporate into your ransomware strategy.

  1. Don’t let attackers in: Double extortion ransomware attacks utilize the same methods to gain access to your network as any traditional ransomware attack. Security awareness training for employees, password policies and multi-factor authentication, regular patching of known vulnerabilities, and protection of RDP ports and VPNs are all important measures to stop initial access. You may also consider investing in a web application firewall and ransomware detection solution.
  2. Backups and data encryption: In the event an attacker does get into your network, having a recent offline backup can protect against the first prong of a ransomware attack, the recovery of your data. Additionally, to protect against a double extortion attack, encrypt your data so that if stolen for use in an attempted data leak, it is not readable by the ransomware group.

As our defense tactics evolve, so do the methods used by attackers. Stay up to date on the latest ransomware developments as an RH-ISAC member. Members have exclusive access to vetted threat intelligence and a community of peers that can aid in the prevention and detection of malware threats. Learn more on the RH-ISAC website.

Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.