Thales Blog

The Pain of Double Extortion Ransomware

February 16, 2023

Rana Gupta Rana Gupta | APAC Regional VP, Data Protection More About This Author >

Ransomware perpetrators are adopting more sophisticated attack techniques with much success. Attackers are increasingly threatening double and triple extortion in addition to ransom demands, putting more pressure on victims to comply. According to a recent market study1, 71% of individuals surveyed said double and triple extortion tactics have grown in popularity over the last 12 months, and 65% agree that these new threats make it tougher to refuse ransom demands.

Ransomware attacks have become much more dangerous and have evolved beyond basic security defenses and business continuity techniques like next-gen antivirus and backups. The problem is that businesses are not yet aware of double or triple extortion ransomware and how these tactics can affect their data protection strategies.

What is Double Extortion Ransomware?

Double extortion ransomware is a growing type of cyber-attack in which a victim’s sensitive data is first stolen, and then encrypted, giving the criminal the option of demanding two separate ransom payments. Any organization that directly holds vast amounts of data or holds client, supplier, or partner information is vulnerable to double extortion attacks. As part of double extortion attacks, tactics often include the threat of DDoS attacks.

According to a separate study2, double extortion, which became popular in the first quarter of 2020, collects confidential business information before encrypting a victim's database. To increase pressure, the bad actors then threaten to publish the private data. Triple extortion, a trend that quickly adopted this model, threatens to reveal information obtained from the victim’s organization to an organization's customers or suppliers, or even demand a secondary payment from individual customers whose data have been accessed.

The threat of double extortion tactics is ominous. According to the same report:

  • 38% of attacks threaten to use stolen data to extort customers
  • 35% of attacks threaten to expose stolen data on the dark web
  • 32% threaten to inform the victim’s customers that their data has been stolen

Particularly alarming are businesses that paid the ransom but still had their data exposed. 18% of the businesses that paid the ransom still had their data exposed on the dark web. Furthermore, 35% of the victims who paid the ransom were unable to get their data back.

Double extortion complicates the picture for the victims because even if you pay, there is no guarantee that they won't keep coming back to ask for more money at a future date because the attacker will still have your data.

The pains of double extortion ransomware

A security gap?

These methods provide significant security risks for businesses of all sizes. 72% of the survey respondents agree that ransomware attacks evolve quicker than the security controls required to protect against them. An additional 77% concur that governments should do more to assist private enterprises in defending against ransomware.

Data is compromised and already in criminal hands

Already-exfiltrated sensitive data constitutes one of the most concerning trends. The Cybersecurity and Infrastructure Security Agency (CISA) notes in an advisory that this weapon of attack circumvents conventional defenses and increases the pressure to pay. This data creates leverage for the bad guys as it increasingly affects the customers' personal information.

Ransomware gangs may become aggressive and divulge the data breach to the victim's customers, revealing that their sensitive personal or financial data was disclosed. With privacy becoming a top priority for many citizens across the globe, revelations of this type create a wave of distrust and fury.

At this point, typical defenses for ransomware, such as backups and restoration of systems and data, do not apply. And that is how they bypass all the ransomware response controls, demanding their victims pay.

Rising ransomware costs

All these degrees of extortion are driving raise the cost of ransomware because criminal groups are encouraged to increase their demands. The average ransom demands have soared between $50 million and $70 million. Many victims wind up paying a fraction of that amount, as they may be able to negotiate these charges down or rely on cyber insurance coverage to cover a portion of these costs. Either way, they legitimize such ransom demands and encourage attackers to continue making them. It is, therefore, not surprising that ransomware expenses are projected to reach $265 billion by 2031.

Preventing double extortion ransomware

Governments have taken multiple steps to help businesses mitigate the threat of ransomware attacks. But that does not mean ransomware is going to conveniently fade away. By prioritizing three security steps, businesses can optimize their ransomware protection tactics.

  • Invest in security awareness training to inform all personnel and familiarize them with ransomware threats.
  • Leverage their vulnerability management programs to prioritize and address security vulnerabilities that hostile actors could exploit to drop ransomware on businesses' systems.
  • Protect their data against ransomware attacks through Discover, Protect and Control.

1. Simplistically, suppose the sensitive data is already encrypted. In that case, even if the attacker exflitrates the sensitive data, it is of no use to the attacker as it is all gibberish to anyone outside the controlled environment unless the attacker also has the encryption keys for the encrypted data.

2. Hence keeping the encryption Keys in tamper-proof hardware from which the encryption keys cannot be extracted is critical to the strategy to defend against Double Extortion Ransomware attacks.

3. Organizations can use technology as their savior against the Double Extortion Ransomware attacks by implementing Encryption on Sensitive Data and keeping the Encryption Keys under a secure hardware key management appliance.

This brings me to the question of how organizations find the sensitive data in the first place. As per Thales’ Data Threat Report 2022, only 56% of respondents were very confident or had complete knowledge of where their sensitive data was being stored, and only 25% of respondents said they could actually classify all of their data.

These measures should be viewed in the broader context of a Zero Trust approach to cybersecurity, where businesses should assume they will be breached. Secure human identities, as well as machine identities, are the foundation of limiting the chances of a ransomware actor gaining access to our sensitive data. In this regard, secure key management is essential to protect themselves from double extortion ransomware attacks.

Thales Key Management offerings streamline and strengthen key management in cloud and enterprise environments over diverse use cases. Leveraging FIPS 140-2-compliant virtual or hardware appliances, Thales key management tools and solutions deliver high security to sensitive environments and centralize key management for your home-grown encryption and third-party applications. This gives you greater command over your keys while increasing your data security. To learn more, contact an encryption specialist.

1Venafi global survey of IT decision makers on the use of double and triple extortion in ransomware attacks.

2Checkpoint Ransomware Study.