October is Cybersecurity Awareness Month so our blog posts for this month will focus on differents areas of cybersecurity to continue to drive awareness and education on evolving trends.

This week, our focus will be on ransomware - specifically double and triple extortion ransomware.

Traditional ransomware, as we know, has been around for decades.In a "regular" ransomware attack, system data is locked and encrypted until the victim agrees to pay the attacker to get the data back. This has proven unsuccessful for attackers, however, because victims can often restore their data and systems from backups.

The first ever ransomware attack is reported to have occurred in 1989 with the "AIDS trojan", where 20,000 infected floppy discs were handed out at that year's World Health Organization (WHO) AIDS conference. After a certain number of boots, user files were then encrypted with an ask for a ransom to be sent to a PO box. Luckily, the ransomware was fairly easy to isolate and remove using technology available at that time. 

Of course, ransomware has evolved rapidly since then becoming much more sophisticaed over the years.

Enter double and even triple extortion ransomware. 

Double and triple extortion ransomware are basically amplified forms of ransomware. They are more sophisticated and aggressive forms of ransomware attacks involving additional tactics to increase the pressure on victims to pay the ransom.

Double Extortion Ransomware:

Let's start with double extortion ransomware: this form of attack typically involves two main tactics:

  1) Encryption of Data: Similar to traditional ransomware, attackers encrypt the victim's data and demand a ransom in exchange for the decryption key.

  2) Data Theft and Threat of Exposure: In addition to encrypting the victim's data, the attackers also steal sensitive or confidential information before encrypting it. They then threaten to release this stolen data publicly if the ransom is not paid. This threat puts additional pressure on the victim to meet the extortion demands.

The combination of data encryption and data theft/leakage threats creates a double layer of pressure on the victim, hence the name "double extortion."

The first public reports of double extortion ransomware surfaced in 2019, originated by the Maze gang. In the fall of 2019, a company received an email from the “Maze Crew” indicating that they had breached a security staffing company. The attackers indicated that they had downloaded data from their victim’s network and threatened to begin releasing that stolen information unless the company agreed to pay the requested ransom demand. 

Triple Extortion Ransomware: 

 Triple extortion ransomware takes the extortion tactics to another level, involving three main tactics: 

  1) Encryption of Data: Like in traditional ransomware attacks, the attackers encrypt the victim's data. 

  2) Data Theft and Threat of Exposure: Similar to double extortion, the attackers steal sensitive data and threaten to make it public. 

  3) Extortion of Business Partners or Customers: In a triple extortion scenario, the attackers also threaten to release the stolen data to the victim's business partners, customers, or other third parties, causing reputational damage and potential legal consequences for the victim. This expands the scope of potential victims beyond just the initial target. 

These tactics are intended to maximize the pressure on the victim to pay the ransom quickly. The threat of data exposure can be especially damaging for organizations, as it can result in significant financial losses, legal liabilities, and damage to their reputation. 

Why is Double/Triple Extortion Ransomware Happening?

To put in simply, this phenomenon has gained prominence with the rise of data backup best practices. It’s this security hygiene that’s giving organizations an escape when it comes to paying a ransom in exchange for a decryption utility. By using double and triple extortion, ransomware attackers can compel organizations to pay a ransom even if they are able to recover their information using data backups to avoid the threat of a data leak.

But of course, paying a ransom does not guarantee that an attacker will uphold their end of a the bargain by not issuing a data leak. There have been many instances of attackers reneging on their promises and re-infecting companies that had previously paid a ransom. This is why exercising preventative measures is so crucial.

How to Protect Against Double and Triple Extortion Ransomware Attacks

Prevention is the golden key to protect against these attacks.To defend against double and triple extortion ransomware attacks, organizations should have robust cybersecurity measures in place, including regular data backups, strong access controls, employee security awareness training, and up-to-date security software.

Additionally, it is essential to have a comprehensive incident response plan in case an attack does occur, which includes steps for containing the breach and minimizing damage. The more prepared you are in the event of an attack, the better you will be able to manage it.

To develop or enhance any or all of the above, talk to Sentia about our cyber readiness assessment and be on the path to a more cyber resilient future.