Need another reason to defend against ransomware instead of ending up having to find a solution other than paying it? Double extortion may be it.

So, what is double extortion? When did it start? With this tactic, ransomware actors steal a victim’s data before their malware strain activates its encryption routine. They then have the option of demanding two ransoms. The first one is the provision of a decryption utility. The second one guarantees verbal confirmation of having deleted the victim’s data from their servers. They can also leverage that data theft to pressure victims — even those that have a robust data backup strategy.

A Look Back at Double Extortion

In November 2019, the Maze gang struck a security staffing firm. Bleeping Computer received an email from someone who claimed to be a member of the Maze Crew. It informed the computer self-help website that they had breached the security staffing firm and stolen some of their data.

“If they don’t begin sending requested money until next Friday we will begin releasing on public everything that we have downloaded from their network before running Maze[sic],” the individual explained.

The security staffing firm missed its deadline to pay. So, the Maze ransomware group published 700 MB worth of its data. The threat actors told Bleeping Computer that the leak represented about 10% of the total number of stolen files. As such, the attackers threatened to release the rest of them if the victim continued to refuse to pay.

The use of double extortion picked up from there. For its part, Maze helped some ransomware groups experiment with the tactic through its cartel, while other ransomware groups created data leaks sites on their own. This led to an increase in double extortion over H1 2020. During that period, ID Ransomware received 100,001 submissions pertaining to ransomware attacks. Just over 11% of those submissions, or 11,642 of them, related to attacks that involved data theft, noted Emsisoft.

Ransomware Extortion in 2021

Ransomware actors took their efforts one step further at the end of 2020 and the start of 2021. They began using triple extortion, a technique where they singled out customers and third parties for their own ransom payments. As noted by WIRED, the first case occurred in October 2020 when a Finnish psychotherapy clinic experienced a data breach that involved a ransomware attack. Those responsible for the infection demanded a ransom from the clinic, but they also demanded smaller sums from individual patients via email.

The second instance of triple extortion occurred in February 2021. At that time, Bleeping Computer reported that the REvil/Sodinokibi ransomware gang had begun placing phone calls to the victim’s business partners and media. The purpose of those calls was to publicly embarrass the company and create even more pressure for the victim to fulfill the attackers’ ransom demand(s).

Even more layers of extortion emerged in the months that followed. For instance, in October, the FBI warned that the HelloKitty group had begun threatening to target victims’ public-facing websites with distributed denial-of-service attacks if they refused to pay the ransom or didn’t do so quickly enough. KnowBe4 reported that other ransomware actors had begun threatening to repeat the attack and delete all their victims’ data if they decided to contact law enforcement or professional negotiators following an infection.

The Side Effect: Rising Costs

All these levels of extortion are driving up ransomware costs. Specifically, they’re giving attack groups more impetus to raise their demands. The average ransom asks increased to between $50 million and $70 million in the first half of the year. Many victims end up paying a fraction of that, as they might be able to negotiate those requests down and/or rely on a cyber insurance policy to cover at least part of those costs. In either case, they legitimize ransom demands of that amount and encourage attackers to keep making them. It’s, therefore, no wonder that ransomware costs are expected to reach a collective total of $265 billion by 2031.

Focusing on Ransomware Prevention for 2022

Double, triple and all the other extortion levels discussed above have helped to elevate ransomware into a multi-faceted threat. SonicWall logged 470 million ransomware attacks through the third quarter of the year. That’s a 148% year-over-year increase. That company detected 190.4 million attacks in Q3 2021 alone, a figure which nearly overtook the 195.7 million ransomware attacks detected in the first three quarters of 2020.

Looking ahead, the firm estimated that ransomware totals would reach 714 million attack attempts by the end of December, making 2021 the most prolific year on record. These volumes explain why the U.S. federal government is working to combat ransomware by sanctioning cryptocurrency exchanges that have moved money for ransomware actors and by introducing bills that could require victims to publicly disclose ransom payments.

Even so, organizations can’t rely on the federal government alone to keep their systems and data safe. They need to focus on their ransomware prevention strategies by prioritizing three security measures. First, they can invest in their security awareness training to educate all employees and cultivate their familiarity with ransomware attacks. Second, they can use their vulnerability management programs to prioritize and remediate security weaknesses that malicious actors could exploit as a means to drop ransomware onto organizations’ systems. Finally, they can use data encryption as a means to protect their data against ransomware attempts.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today