Double extortion ransomware is a type of malware that takes traditional ransomware attacks to a new level by combining ransomware with elements of extortionware. This means that in addition to encrypting data, the attackers also steal the victim’s data and threaten to publicly leak or sell it if the ransom is not paid. This tactic gives the attackers an additional leverage to extort money from their victims.
The first reports of double extortion ransomware emerged in 2019 and were carried out by various criminal organizations, including the REvil ransomware gang and the Maze ransomware group TA2102. Since then, several high-profile incidents of double extortion ransomware have been reported.
The process of a double extortion ransomware attack begins with the attacker gaining initial access to the victim’s system. This can be done through various means, such as phishing attacks, malware delivered via email or malicious websites, exploiting known vulnerabilities, or using stolen credentials from previous data breaches. Once inside the system, the attacker moves laterally across the network to access as many high-value assets as possible.
The next step in a double extortion ransomware attack is data exfiltration. The attacker identifies and steals valuable data from the victim’s system and moves it to a remote location. After the data has been exfiltrated, the attacker encrypts the victim’s files and locks them, making them inaccessible.
At this point, the attacker makes a ransom demand, asking the victim to pay a sum of money in exchange for the decryption key. However, in a double extortion ransomware attack, the threat doesn’t end there. If the victim refuses to pay the ransom and can restore their files from backups, the attacker threatens to publicly release or sell the stolen data. This puts additional pressure on the victim to pay the ransom.
Publicly reported incidents of double extortion ransomware include attacks carried out by groups like Maze ransomware, REvil, DarkSide, BlackMatter, and LockBit. These groups have targeted organizations across various industries, causing significant disruptions and financial losses.
To prevent double extortion ransomware attacks, individuals and organizations can take several proactive steps. Implementing strong authentication and access policies can make it harder for attackers to gain system access. A comprehensive defense-in-depth strategy, including firewalls, network traffic analysis tools, and intrusion prevention systems, can help detect and block intrusions.
Threat hunting tools can actively search for potential threats, while cybersecurity awareness training can educate employees about the risks of social engineering and phishing attacks. Using data loss protection tools can help ensure that sensitive information doesn’t leave the network, and maintaining continuous backups at secure locations can improve the ability to recover quickly from a ransomware incident.
In addition, scheduling tabletop exercises to simulate and practice responding to a ransomware attack can help IT operations staff be prepared for such incidents. By implementing these preventive measures, individuals and organizations can better defend against and recover from double extortion ransomware attacks.