Double and triple extortion attacks

Initially, criminals exclusively used ransomware-related malware to restrict access to user data by encrypting files on individual or organizational devices. 

In exchange for the decryption key, the victims had to pay a ransom in Bitcoin.

Performing regular backups and keeping them offline are effective ways to safeguard critical data from ransomware threats.

If a system were to be blocked by ransomware, users could restore their data from the offline backup to resume operation.

As some victims managed to properly train their staff or refused to pay the ransom as they had taken precautions and had backups, criminals began to develop more ways to put additional pressure on their victims.

A type of threat very different from the past, so much so that a new term has been coined: double extortion attacks (“Double Extortion”).


Double extortion

Double extortion tactics generally include a notification to the victim, indicating that the data has been stolen and that the copies are in the possession of the attacker.

From then on, the victim has a period of time (ranging from a few days to several weeks) to pay the ransom.

If the victim refuses to pay, the stolen data will be made public after the timer expires.

If, on the other hand, the victim pays the ransom, the local data will be decrypted (a decryption key will be delivered) and the exfiltrated data will be destroyed.

To encourage timely payment, it has become common for the attacker to publish a subset of exfiltrated data.

This is typically a small amount of highly sensitive data as a demonstration that the data in question is truly in the possession of the attacker.

In short, the organization suffers two simultaneous forms of extortion: extortion by blocking encrypted files and extortion by threatening to publish sensitive data; thus giving the name to the attack.

Attackers switched to this new strategy due to several factors.

In particular, many ransomware decryption keys, such as MegaLocker and Tesla, are available for free.

This means that reusing one of these attacks does not guarantee payment by the victims.

In addition, many organizations have strengthened their backup and recovery tools and methodologies to enable rapid recovery of encrypted devices and files.

Although this could create significant downtime for the organization; if the cost of the downtime is less than the cost of the ransom, the organization is willing to accept the downtime in order not to pay the ransom.

This new technique was registered in Italy and the consequences were paid by a company for music and theater events, hit by the Maze ransomware.

In this mode, criminals make 2% of the exfiltrated data available as evidence, about 3GB of data.


Triple extortion

To make matters worse, the attackers came up with a new type of extortion in addition to the previous two – a triple threat (Triple Extortion) – used by the Avaddon ransomware group.

Not only is the data encrypted and exfiltrated, but if the ransom payment or the threat of a data leak is not responded to, attackers could launch a DDoS attack against some of the victim’s services, putting them in a position to have to undertake a negotiation for redemption.

Commonly used as a single extortion method, DDoS attacks are now on the list of services offered by RaaS operators.

This further increases the pressure on the victim in a couple of ways: first, it emphasizes the seriousness of the opponent. And second, maintaining availability also adds another stressor to a security team already struggling with the first two extortions.