Dennis Underwood
Published on
December 21, 2022

Double Extortion Ransomware: What You Need to Know

If you aren't careful double extortion ransomware can cripple your business. Read this article to learn how to protect against it.

Double extortion ransomware is a malicious form of malware that not only holds data hostage but also threatens to expose or leak confidential information if ransom demands are not met. This ransomware is particularly dangerous because it threatens the victim’s data and reputation. 

This type of malware is becoming increasingly popular among cybercriminals, allowing them to get away with more money from their victims. Double extortion ransomware is deployed through phishing emails or malicious links. Once it is activated, it encrypts the victim’s data and demands a ransom payment in exchange for the decryption key. 

The malware also threatens to publish the victim’s confidential data if they do not pay the ransom. This type of ransomware is becoming increasingly prevalent, as it is a way to extract more valuable assets from a victim for future sale or extortion. Educating employees about cyber security and implementing strong backup solutions can help defend against novice attacks. Specialized counter-extortion technology is needed to prevent identity or data theft and extortion attacks instead of more generalized tools which try to reduce the pain after an attack.

Read: Why Ransomware Defense Efficiency is so Important

What Is Double Extortion Ransomware? 

A double extortion ransomware assault pushes the standard ransomware attack to a higher level and raises the stakes. The cybercriminal uses the victim's data, files, or even the whole server.

The data is encrypted, and payment is requested in exchange for access. The process of encrypting data as part of a ransomware assault involves many victim machines at once. A business can see all of its critical data affected within 1 minute. 

In double extortion, however, attackers go one step further by threatening to broadcast the sensitive material on the dark web and sell it to the highest bidder if the ransom is not paid by the deadline. Backups are useful for recovering some of the data if the criminals forget to damage the backups, but they do not lessen the harm caused by stolen information that becomes public.

The issue becomes that the attacker has more power to guarantee payment from his victim. Attorneys, healthcare institutions, and schools, to mention a few, keep huge quantities of sensitive data that, if hacked, may be catastrophic for the institution and the people exposed. This is what makes double extortion ransomware assaults so devastating and successful.

Are you worried about being a victim of double extortion ransomware? Take a look at Cybercrucible’s unmatched data protection.

Typical Double Extortion Ransomware Attack Sequence 

Crop cyber spy hacking system while typing on a laptop

A ransomware attacker acquires access to a victim's network in many documented ways and threat vectors during a double extortion ransomware operation. The operator then conducts network discovery to seek and secure access to critical assets throughout the network and associated endpoints before exfiltrating them to the attacker's own storage network.

1. Initial Access

The perpetrators of ransomware attacks are usually not the first criminals attacking a business.  Initial Access hackers specialize in using every possible way to access a targeted business.  Often, they will send bogus communications imitating those of a company's leaders, tricking them to perform actions that will expose sensitive information. It is intended that recipients would assume the communication originated from one of their bosses and voluntarily provide the requested information and use it to gain access.  This sensitive information can then be used to steal login credentials from the employee’s employer, or to blackmail an executive into cooperating with the attack.

Those who steal login credentials are able to execute a double extortion attack from within the network.

2. Lateral Movement

Lateral movement is an important step in double extortion ransomware attacks. This is the process of moving from one compromised system to another, allowing the attacker access to more data, systems, and networks. 

Lateral movement is commonly done using legitimate credentials, exploiting vulnerabilities, or using a tool to spread the malware automatically. In double extortion ransomware attacks, lateral movement can be used to gain access to more valuable data and access to more machines to encrypt during the attack. 

This can increase the potential of the attack and allow the attacker to demand a higher ransom in return for the decryption key. Lateral movement can also be used to increase the attacker’s persistence on the network, allowing them to maintain access even after the initial encryption has occurred. Knowing how and when to use lateral movement properly is key to successful double extortion ransomware attacks.

3. Data Exfiltration

During double extortion ransomware attacks, data exfiltration is a malicious activity wherein an attacker copies or moves sensitive data from a system or network to an external storage device or location to exploit it later. It is a serious security breach that can lead to the loss of confidential information, financial loss, or even reputational damage. 

Often, the data exfiltration is done in the background, without the knowledge of the victim, as part of a double extortion ransomware attack. It can involve the stealing of credentials, financial records, or intellectual property or the stealing of other confidential data. Data exfiltration can also involve encryption or hijacking systems to access sensitive data. 

Data exfiltration during double extortion ransomware attacks can be difficult to detect due to how attackers camouflage their activities and the sophisticated techniques used to evade detection. It is important to be aware of the potential risks and take steps to protect against data exfiltration during double extortion ransomware attacks.

4. Ransomware Deployment

Ransomware deployment during double extortion ransomware attacks can be devastating to a system. Attackers leverage malicious code to encrypt files and demand payment from victims and their customers. 

The attackers typically demand a large ransom amount from the victim and then extort them further by demanding payment from their customers to decrypt their data. This strategy can be highly effective, as the victim is often forced to pay a ransom in order to protect their customers' data.

Recently, extortionists have been learning to make the attack disruptive enough to force fast payment of a ransom the business can barely afford to ensure the business does not declare bankruptcy. The criminals have learned that extorting a business repeatedly will give them the most money over time.

5. Extorting Customers and Suppliers

Attackers will use the resources accessed after an attack to find new victims. They will then attack the customers and suppliers of the business they originally targeted, using sensitive information to extort them.  Sometimes they will even use their access on the original victim to send malicious emails, knowing the original victims’ customers and suppliers are more likely to consider those emails “safe”.

In addition to the financial loss, double extortion ransomware attacks can also cause reputational damage and the loss of sensitive data that can compromise not only your business but the businesses that put their trust in you. Therefore, organizations must take measures to prevent, detect and respond to ransomware deployment during double extortion attacks.

Related: Downtime After Ransomware: The Silent Killer

How Can You Protect Against This Ransomware?

Man and woman looking at a laptop

Protecting yourself against a well-planned and executed double extortion ransomware attack will be a difficult uphill battle. With a well-prepared attack, dozens of well-positioned victim machines are often involved, allowing the attackers to strike quickly and at the most vulnerable sectors of their systems. 

Anti-malware tools that are designed to stop malware only work against old, recognized malware. They can be ineffective against double extortion ransomware attacks since they only react and evolve to a known threat and cannot protect against an unrecognized one.

The most effective tools are behavior-based systems that are designed to detect these malicious behaviors and notify teams that have yet to pick up the threat or have been blinded by the attackers.

Related: Why Aren’t Security Tools Stopping Ransomware

Can You Stop an Attack While It's Happening?

Due to the sophisticated nature of double extortion ransomware attacks, a tool that is specialized to prevent theft and extortion, such as Cybercrucible, is required. 

Cybercrucible’s Extortion Prevention feature is designed to protect before an attack occurs by scanning deep operating system behaviors like memory behaviors and identity data accesses, stopping the attack immediately, then notifying users that they were just saved from attack.

During an attack, Cybercrucible’s Automated Protection will kick in once data theft, credential theft, or ransomware encryption begins, but before damage or theft begins.

After an attack, Cybercrucible’s Post-Incident Analysis can be used to investigate the root cause for a program to be suspended after the Automated Protection stopped the attack. This allows any breaches in security to be closed and improved.

Want to give Cybercrucible a try? Click here for a free trial!

The Importance of Protecting Against Double Extortion Ransomware

In May 2021, one of the most infamous incidents of double extortion occurred with the assault on the Colonial Pipeline, which at the moment was transporting 45% of the East Coast's gasoline and jet fuel supplies. A criminal ransomware group called DarkSide seized 100 GB of data, compelling Colonial Pipeline to pay around $5 million in bitcoin to recover control and restore services. The high ransom was immediately paid by Colonial Pipeline, even though the attack only targeted some of the business' accounting systems; oil transport operations were not even affected by the attack.

Double extortion attacks like these are a growing threat in the cyber security landscape. They involve a malicious actor involved in both encrypting data and stealing sensitive information. This type of attack leaves organizations and individuals vulnerable to devastating losses of data, financial losses, and reputation. 

Protecting against double extortion is essential in order to prevent costly damage to an organization or individual. Implementing proper cyber security measures, such as using strong passwords and regularly updating software, is important in protecting against double extortion. 

Most importantly, ensure you are protected during all phases of a double extortion ransomware attack by using Cybercrucible’s Power Advanced Cyber Options or its Set & Forget automated features to protect yourself before, during and after an attack.

About the author
Dennis Underwood

Dennis Underwood is a veteran, cybersecurity leader, inventor, and entrepreneur with over 20 years of experience. He is an expert at cryptography, intrusion discovery and analysis, having discovered multiple previously unreported intrusions to clients throughout his career. Currently, he is leading a team of like-minded experts delivering next generation intrusion discovery and ransomware response automation tools to consumers.

Start a free trial today

Sign up for Cyber Crucible today to protect your system against ransomware extortion.

Create an account