Ever hear of double extortion? It’s a technique increasingly employed by ransomware attackers. A malware payload steals a victim’s plaintext information before launching its encryption routine. Those operating the ransomware then go on to demand two ransoms — one for a decryption utility and the other for the deletion of the victim’s stolen information from their servers. In doing so, ransomware actors hope to trap all their victims into paying up. Backups can help to negate the need for a decryption utility, the logic goes, but they mean next to nothing in the aftermath of data theft. Take a look at how to defend against double extortion and double encryption as attackers double down.

Double Extortion: A Means to an End for Ransomware Attackers

What makes double extortion so useful is that it is a means to an end, not an end unto itself. Just look at what ransomware actors have done with double extortion since its inception in 2019.

Some have decided to create new attack infrastructure. Take the Maze crew, for example. This group of attackers created its own data leaks website for publishing the data of victims who refused to pay. The group also formed a cartel with other ransomware gangs, an arrangement that featured shared use of its data leaks website as a central benefit. (Attackers’ experience of using Maze’s double encryption apparatus also helped other actors like the LockBit crew to register their own website.)

Others have elected to weaponize double extortion for the sake of repeat ransom demands. All this requires is for crypto-malware crews to not honor when a victim pays a ransom. Those threat actors can then return whenever they want in the future and issue a ransom demand for the same data.

Download the Definitive Guide to Ransomware

What Is Double Encryption?

Double extortion is not the only new technique that’s using two of something to reshape the flow of a ransomware attack. So too is double encryption, a tactic where malicious actors are encrypting victims’ data with two (or more) ransomware strains.

Emsisoft first warned about the threat of double encryption in mid-May. This attack commonly takes on one of two forms.

In the first type, known as layered encryption, a malicious actor encrypts a victim’s data with one ransomware strain. The attacker then re-encrypts that encrypted information using a different ransomware sample.

In the second type, called side-by-side encryption, the attacker uses one ransomware strain to encrypt some systems and another ransomware sample to encrypt other systems.

Two Birds, One Ransomware Stone

Double encryption is like double extortion in two ways. First, it aims to maximize the amount of money that attackers are capable of collecting using a ‘single’ infection. Multiple payloads require victims to pay for multiple decryption utilities, thus increasing the overall cost of a ransomware attack.

Ransomware attackers understand this. Under the model of double encryption, they can work together to share in the profits of a company that’s willing to pay. Or, they can combine several of their ransomware strains together into a single attack.

Cryptomalware crews can also leverage double encryption to expand the types of options that are available to their affiliates. Indeed, developers can create new tiers in their affiliate programs that enable would-be attackers to string two or more malware payloads together, for instance. When made available under an established ransomware-as-a-service platform, such offerings would lead to even more money ending up in ransomware actors’ pockets.

Second, double encryption makes recovery more difficult. If a victim chooses to pay the ransom, the attacks could send a decryption utility for each ransomware strain involved. The issue is that the onus falls on the attackers to adequately describe how to use the decryption utilities to recover all their data. If the attackers used side-by-side encryption, for instance, they would need to instruct the victim about which decryptor to use for which system. With layered encryption, they would need to specify which decryption utilities to use first.

That’s a lot to assume given the fact that many attacker-created decryption tools already don’t work on their own. (That’s what happened with ProLock.) All these moving parts increase the likelihood that organizations could suffer data corruption following a ransomware attack.

Why Organizations Shouldn’t Pay Ransoms

Whether single encryption or double encryption is involved, paying the ransom carries several risks for victims. First, paying the ransom doesn’t guarantee they’ll be able to recover their data. Some decryption utilities fail, as discussed above, and some attackers refuse to honor a ransom payment.

Second, paying a ransom doesn’t ensure that a victim will be able to recover their data right away. Decryption is often a manual task that requires victims to recover individual files one at a time. This process can become even more complex when multiple ransomware strains and their corresponding decryptors get involved.

Lastly, organizations could incur financial penalties by paying a ransom. In 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) revealed that it could impose civil penalties on those who paid threat actors on OFAC’s cyber sanctions program. That penalty comes into play even if the victim didn’t know the attacker was on the sanctions list.

Defending Against Ransomware in the Age of ‘Double’ Tactics

Double extortion was always a means to an end in more ways than one. This technique didn’t just extend the possibilities of how a ransomware actor could get paid. It also changed how a ransomware attack could look.

Taken together, these techniques highlight the need for organizations to defend themselves against ransomware. Having backups is a crucial step of that process. But there are other important steps, too, like the following:

  • Crafting a data theft prevention strategy
  • Applying user behavior analytics to identify potential threats
  • Implementing multi-factor authentication to secure accounts
  • Leveraging penetration testing to identify weak points on the corporate network.

These fundamentals can help keep organizations safe against ransomware, regardless of what encryption and extortion techniques a campaign is using.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today