In the summer of 2024, a Russian ransomware gang launched an attack on a UK pathology services provider. However, the group didn’t just encrypt the organization’s data and demand a ransom. It exfiltrated data from more than 300 million patient interactions with the National Health Service (NHS), and when the victim organization refused to pay the hefty ransom, the group released all the stolen data on the dark web.
This tactic is referred to as extortion (in this case, double extortion), and while it’s only a handful of years old, the practice has risen from novelty to the norm for ransomware groups and other threat actors across the cybercrime landscape.
What is Double Extortion?
Double extortion occurs when a threat actor, during a ransomware attack, exfiltrates a copy of an organization’s data before executing the standard ransomware data encryption process . If the victim organization refuses to pay the ransom or the ransom negotiations go south, the threat actor will threaten to, expose the organization’s data and clients’ personally identifiable information (PII) by releasing the unencrypted stolen data to the dark web or selling it to another party. This is effectively a double extortion scenario: the attacker not only leverages the encrypted data, but also the potential exposure of that data to others.
In the example above, the ransomware group released patient data and blood test results, including highly sensitive test results for HIV, sexually transmitted diseases, and cancer.
Double extortion first emerged as a trend in 2019, with notable ransomware groups Maze and Revil demanding an additional ransom in exchange for not releasing data they had exfiltrated during ransomware attacks. This trend is now, unfortunately, the norm. Arctic Wolf found that in 96% of ransomware incident response cases, the attacker also exfiltrated data to apply pressure and extort payment.
What is Triple Extortion?
Triple extortion occurs when the threat actors add another incentive for victim organization to pay ransom during the attack or find a third way to extort funds from the victim.
Triple extortion tactics can involve:
- Contacting and potentially blackmailing individuals whose data has been exfiltrated during the attack
- Encrypting more of the organization’s environment
- Launching a secondary attack, such as a distributed denial- of- service (DDoS) attack
- Attacking an organization connected to the original victim organization
Triple extortion is also referred to as multi-extortion , as the threat actors are taking multiple extortion actions during the attack. Known ransomware groups are starting to use this tactic with increased frequency. For example, Arctic Wolf Labs investigated several instances in which ransomware groups Royal and Akira contacted victims after their original attacks, demanding a second payment; in November 2023, the group AlphaV even contacted the U.S. Securities and Exchange Commission (SEC) to report one of its alleged victims for failing to comply with SEC reporting rules that require publicly traded companies to disclose material cyber incidents.
Consequences of Double and Triple Extortion Attacks
A ransomware attack is a potentially devastating scenario for any organization, so when threat actors are able to exfiltrate data and utilize multi-extortion tactics, the consequences only multiply.
Potential additional impacts for organizations due to double and triple extortion ransomware attacks include:
- Reputation damage from client or customer data exposure
- Regulatory investigations and/or fines
- Future attacks that utilize the compromised data (including credentials) for initial access
- Attacks on business associates and connected organizations
- Financial losses due to ransom payment, operation stoppage, or even loss of trust by shareholders and investors
Unfortunately, extortion offers threat actors an advantage during their attack. One such area where extortion has given threat actors the upper hand is the ability to neutralize the effectiveness of backup and restoration processes. Organizations often use backups to restart operations quickly during a ransomware attack to avoid paying a ransom, but as that defense becomes ubiquitous, so too has extortion, which can render that data recovery moot. In other words, target organizations which may not need to pay the ransom to recover their data must still consider doing so to avoid having their data fall into the wrong hands. Additionally, Arctic Wolf has observed that whereas in the past, ransomware groups were often willing to quickly negotiate ransoms, more recently these threat actors are taking tougher negotiation stances while turning to multi-extortion tactics to maximize their potential gains.
How To Protect Against Extortion Ransomware Attacks
Ransomware isn’t going away anytime soon. The attack type accounted for 44% of Arctic Wolf® Incident Response cases in 2024, and the median ransom was $600,000 (USD). This prevalence – and potential cost – means that organizations must act proactively to prevent ransomware incidents in their environments.
Protect against extortion ransomware attacks by:
1. Conducting data backups. While exfiltration may still occur, having data backups will not only help your organization resume operations if an attack occurs, but can also provide visibility to your incident response (IR) team regarding what data exists, its value, and the implications of a possible leak. This can help inform ransom negotiations and other IR actions. Organizations should understand what backups they’re responsible for if they use a hybrid or cloud-only environment and should remember to test their backups regularly.
2. Following identity and access management best practices, with particular attention paid to external remote access tools. Most ransomware attacks (59.4%) observed by Arctic Wolf Incident Response in 2024 leveraged external remote access to gain initial access, meaning the threat actor just needed a set of compromised credentials to enter the environment through a VPN or unsecured Remote Desktop Protocol (RDP). These tools must be external facing by nature, so ensuring proper access controls are in place, such as phishing-resistant multi-factor authentication (MFA), will help prevent compromise.
3. Creating a robust vulnerability management program. Following closely behind external remote access for initial access was external exploit at 33.2% of Arctic Wolf IR investigations. By putting in place a consistent vulnerability management program that prioritizes regular remediation, organizations can prevent this exploit from occurring in the first place, stopping initial access. If a threat actor gains access to the environment another way, having the riskiest vulnerabilities patched can ensure that the cybercriminals are unable to exploit any internal applications for data access or exfiltration.
4. Employing a 24×7 monitoring, detection, and response solution. Monitoring is critical for preventing attacks, especially as threat actors utilize legitimate programs for malicious ends and often infiltrate multiple aspects of the environment in quick succession. Without ongoing monitoring and detection, unusual behavior across the environment could go unnoticed, allowing a ransomware actor to encrypt and exfiltrate assets with ease.
See how Arctic Wolf® Managed Detection and Response solution was able to stop a ransomware attack in its tracks.
Explore the ransomware landscape in-depth and better understand how to stay defended.
