Double extortion is a tactic employed by some ransomware gangs. It begins when a crypto-malware strain steals information stored on a victim’s machine before launching its encryption routine.

As usual, the ransomware encrypts the victim’s data and demands payment in exchange for a decryptor within its ransom note. But the threat then makes the additional demand that victims pay up in order to prevent the attackers from publishing their plaintext data online.

Ransomware attacks can have an impact beyond the encryption of data, as evidenced by the 2020 attack on a German hospital that shuttered operations due to a successful ransomware attack. Inbound patients were redirected to alternate hospitals for treatment, and in a tragic milestone, one of the redirected individuals became the first fatality directly linked to a ransomware attack.

When Did Double Extortion Begin?

The first group of attackers to use double extortion was the Maze gang. In November 2019, Bleeping Computer received an email from the “Maze Crew” indicating that they had breached a security staffing company. The attackers said in their email that they had downloaded data from their victim’s network and that they would begin releasing that stolen information unless the company agreed to pay the requested ransom demand.

A day before their deadline, the Maze attackers posted in Bleeping Computer’s forums a description of the breach along with a link for a 7-zip archive. That resource contained almost 700 MB of leaked files including contracts, medical records, encryption certificates and other files stolen from the company.

In the months that followed that attack, the Maze gang began welcoming other attackers to publish their own victims’ data using its data leaks architecture. The individuals behind the LockBit Ransomware-as-a-Service (RaaS) platform took up Maze’s operators on their offer and published a data dump for an architectural firm to the “Maze News” site in the beginning of June, as an example. The Ragnar Locker gang joined Maze’s cartel just days after that.

This activity from Maze helped to make double extortion a prevalent technique in the ransomware threat landscape more broadly. For instance, ID Ransomware received 100,001 submissions for ransomware attacks that had targeted organizations and government entities in Q2 2020. Approximately 11% of those attacks, or 11,642 distinct ransomware incidents, involved the theft of victims’ data.

Such activity continued to grow over the rest of the year. In an attack landscape update for H1 2021, researchers revealed that nearly 40% of ransomware families discovered in 2020 along with several of the more established strains had incorporated data exfiltration into their attack chains by the end of the year. They went on to note that 15 different ransomware families were stealing data from their victims and threatening to leak it by the close of 2020.

Why Is Double Extortion Happening?

Simply put, double extortion has gained prominence with the rise of data backups best practices. Help Net Security covered a 2020 study where 91% of respondents confirmed that they back up their data and devices. It’s this security hygiene that’s giving organizations an out when it comes to paying a ransom in exchange for a decryption utility.

By using double extortion, ransomware attackers can compel organizations to pay a ransom even if they are able to recover their information using data backups due to the threat of a data breach in addition to the potential for data loss in these “ransomware 2.0” attacks.

But as is the case with all ransomware infections, organizations can’t guarantee that attackers will honor their word if they agree to pay the ransom to avoid a data leak. Other researchers noted in Q3 2020 that it had observed at least five ransomware groups going against their promises.

They documented instances where the Sodinokibi attackers re-extorted victims with the same data set just weeks after they paid the ransom, for instance. Others including the Netwalker and Mespinoza gangs went ahead and posted the data for victims that had paid.

Prevention is Key to Defending Against Double Extortion

Victims can’t trust attackers to follow through and not post their stolen information. Not only that, but they don’t want to support the ransomware business model to begin with. That’s why organizations need to focus on preventing a ransomware infection in the first place. The only way they can do that is by gaining visibility over Indicators of Behavior (IOBs) so that they can visualize and ultimately shut down the attack chain.

Cybereason delivers fearless ransomware protection via multi-layered prevention, detection and response to prevent ransomware infections and data exfiltration that can put organizations at risk from double extortion, including:

• Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.

• Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.

• NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.

• Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.

• Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

• Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

About the Author

JJ Cranford

JJ Cranford is a Senior Product Marketing Manager at Cybereason, He was previously with OpenText after the acquisition of Guidance Software where he was responsible for the go-to-market strategy for endpoint security products. JJ provides insight into market trends, industry challenges, and solutions in the areas of incident response, endpoint security, risk management, and compliance.

All Posts by JJ Cranford