The Dangers of Double (and Triple) Extortion

Share :

The techniques and tactics of cybercriminals are constantly evolving, becoming ever more intricate and complex. This innovation, of course, also makes their attacks more difficult to defeat. It can feel like an endless game of whack-a-mole, with the security industry developing a way to thwart an attack, only to find cyber criminals have developed a workaround that is — sometimes — even worse.  

One recent innovation has the potential to exponentially increase the damage done by ransomware attacks. And that’s bad news for organizations, as ransomware attacks are already on the rise. According to the 2022 Verizon Data Breach and Investigation Report, “In 2021, ransomware has continued its upward trend with an almost 13% increase (for a total of 25% of breaches)—a rise as big as the past five years combined.”  

With that in mind, it’s time to take a closer look at this most recent — and most devious — innovation in ransomware attacks: double extortion, and its even nastier cousin, triple extortion. 

What is Extortion? 

In a standard ransomware attack, cyber criminals encrypt your data and demand payment in exchange for the decryption key. It has been around in one form or another for over 30 years. All that time has given the security industry a chance to develop best practices around protecting systems from these kinds of attacks. As more organizations embrace off-site backups that can be accessed to restore systems in the event of an incident, cybercriminals have seen their profits dip as more of these standard — or single extortion — ransomware attacks fail. 

What is Double Extortion? 

Double extortion attacks find cybercriminals exfiltrating the data before encrypting it. If an organization seems reluctant to pay the ransom (maybe due to them having a full off-site backup from which they can restore their systems), the attacker threatens to release the stolen data on the dark web, potentially exposing customer information and the organization’s proprietary intellectual property. 

The unlucky victim of the first double extortion attack to grab headlines was security staffing organization Allied Universal. Cybercriminals stole a copy of the firm’s data before encrypting their systems, then threatened to publish the data unless the $2.3 million ransom was paid.   

Since then, several high-profile ransomware gangs have turned to double extortion tactics to ensure payment. And these are not empty threats. In one 2021 attack, the D.C. police refused to pay the $4 million ransom their attackers were demanding. Soon, the department found their data had been leaked online, including intelligence information, names of witnesses, and personal data of employees ranging from medical histories to polygraph results. 

What is Triple Extortion? 

With this relatively new type of attack, cybercriminals can stretch a single attack out into multiple payouts. Now they not only encrypt the data, not only steal the data and threaten to release it if the ransom isn’t paid, but also contact individuals who may be impacted by the data’s release and tell them to pay up or risk having their information exposed. 

This attack type seems to have originated in 2020, with an attack on a mental healthcare provider in Finland, Vastaamo. The attackers contacted individual patients of the provider, threatening to release their records — including the detailed notes of their therapists — to the public if payment wasn’t made. 

How To Prevent Ransomware Attacks 

It’s no longer enough to have full backups of your system data stored off-site. With the rise of double and triple extortion, the risk of reputational damage has proven an effective tool with which cybercriminals are able to extract payment. 

So, what can be done to stop them? The key is a proactive approach to cybersecurity. That means: 

  • Monitoring remote modes of access into your systems, such as VPNs, Active Directory, and RDPs 
  • Being wary of suspicious emails, links, attachments, login attempts, and unwarranted physical access to devices 
  • Keeping software up-to-date and patching any known vulnerabilities 

How Arctic Wolf Can Help 

Turning to managed security operations solutions can make the difference in protecting you from the risks of ransomware. Arctic Wolf — the leader in security operations — offers multiple solutions that can help you end cyber risk for your organization. 

Managed Detection and Response provides 24×7 monitoring of your networks, endpoints, and cloud environments, helping you to keep tabs on every remote mode of access into your systems — and ensuring attacks are contained before they can do damage. 

Managed Security Awareness prepares your employees to recognize and neutralize social engineering attacks and human error, better protecting your organization, your people, and your data from suspicious emails, links, attachments, login attempts, and unwarranted physical access to devices. 

Managed Risk enables you to discover, assess, and harden your environment against digital risks by contextualizing your attack surface coverage across your networks, endpoints, and cloud environments. Fully managed by our Concierge Security Team, it offers around-the-clock monitoring for vulnerabilities, system misconfigurations, and account takeover exposure — as well as recommendations to help you harden your security posture. 

Sule Tatar

Sule Tatar

Sule Tatar is a Senior Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.
Share :
Table of Contents
Subscribe to our Monthly Newsletter