Double extortion ransomware attacks follow a similar protocol to that of a typical ransomware attack. But, they come with an extra threat: The victim must pay a ransom not only to regain access to their technology and data but also to keep that data from being uploaded publicly online. Double extortion ransomware attacks are particularly concerning, as these incidents can further pressure organizations to comply with ransom demands in order to keep their data private.
The number of ransomware attacks involving double extortion tactics jumped from 229 to 2,371 in the span of a year, an unprecedented 935% increase, according to new research from Group-IB. This article examines how these attacks work and why they’re on the rise.
How Double Extortion Ransomware Attacks Work
Double extortion ransomware attacks start like most other ransomware incidents: A cybercriminal first gains access to their target’s device or server, often via phishing scams, nonsecure websites or malicious attachments. From there, the cybercriminal is able to compromise the victim’s technology and encrypt data stored on it. Then, the cybercriminal delivers their ransom demand and accompanying consequences for noncompliance.
Contrary to a typical ransomware incident, however, the consequences of a double extortion attack are twofold. That is, failing to pay the ransom could result in the cybercriminal permanently restricting the victim’s access to their technology and sensitive data as well as sharing this data publicly on the internet. Although double extortion ransomware attacks can occur at any organization, these incidents are most common within establishments that store a considerable amount of sensitive data. This includes health care facilities, financial institutions, government organizations and large retail businesses.
Double extortion ransomware attacks can be significantly more damaging to affected organizations than typical ransomware incidents. This is because even if organizations have protocols in place (e.g., storing data in multiple secure locations) that allow them to recover their compromised information without paying a ransom, they may still be pressured to do so in order to keep their data from going public. After all, a data breach can lead to further ramifications—including reputational damages, regulatory fines and class action lawsuits.
What’s more, cybercriminals who conduct double extortion ransomware attacks are known to demand higher ransom payments, sell or trade stolen data to other attackers for future extortion attempts, and still move forward with sharing data publicly even after the ransom is paid (whether on purpose or by accident)—making these attacks all the more damaging.
Double Extortion Ransomware Attacks Are on the Rise
As noted per Group-IB, double extortion ransomware attacks saw a 935% increase in just one year’s time. Thanks to an unholy alliance of ransomware-as-a-service actors and initial access brokers (parties selling access to corporate systems), cybercriminals were able to reach new heights in 2021, according to Group-IB’s report on the latest trends in technology-based crime.
The partnership between the two groups allows threat actors to deploy their attack of choice on already-compromised systems and opens the door to a wide range of “beginners” to ransomware.
“The fact that tools for conducting full-fledged attacks against corporate networks are widely available means that underground actors can make money with almost no risk or effort,” Group-IB said. “The market for initial access has been flooded with low-skilled threat actors who, despite their poor knowledge of the technical aspects involved, pose a threat to companies.”
According to the report, this multimillion-dollar market expanded by 204% between the second half of 2018 to the first half of 2020. It grew another 16% between 2020 and 2021 to an estimated $7.2 million in value, Group-IB added.
U.S.-based organizations are by far the most popular targets for initial access brokers, with manufacturing, education and financial services as the top industries. Another recent report from the firm found that between 2019 and 2020, ransomware actors netted at least $1 billion from their malicious efforts.
Once in, cybercriminals have shown an increasing preference for double extortion by both encrypting systems and exfiltrating data as leverage. The report found that much of the data does end up leaked online, regardless of whether a ransom was paid.
“In the first three quarters of 2021, ransomware operators released 47% more data on attacked companies than in the whole of 2020,” Group-IB’s researchers said. “Taking into account that cybercriminals release data relating to only about 10% of their victims, the actual number of ransomware attack victims is likely to be dozens more.”
Group-IB estimated about 30% of victim firms pay a ransom. The Conti ransomware group has proved to be the most aggressive in leaking data, followed by Lockbit, Avaddon, REvil and Pysa.
Preventing Double Extortion Ransomware Attacks
When it comes to combatting double extortion ransomware attacks, it’s important to prioritize standard ransomware prevention measures. These include conducting routine employee training on how to detect potential ransomware risks (e.g., suspicious emails or attachments), implementing policies that prohibit browsing nonsecure websites on organizational servers or devices, and installing adequate security features on all workplace technology (e.g., a virtual private network, antivirus programs, data encryption software, email spam filters, an internet firewall and a patch management system).
In addition to these key prevention measures, the best course of action for reducing double extortion ransomware attack risks is to establish an effective cyber incident response plan for your organization. This plan should explicitly address double extortion ransomware attack scenarios and outline steps that employees should take to limit the damages during such an event.
Lastly, it’s vital to secure appropriate insurance coverage for ultimate peace of mind in the event of a ransomware attack. A dedicated cyber insurance policy can offer much-needed support and resources when an attack occurs, minimizing the potential damages and financial impact on your organization.
For additional risk management guidance and insurance solutions, contact us today.