zephyr_p - stock.adobe.com

Double extortion ransomware attacks and how to stop them

As ransomware attacks increase, hackers are diversifying their tactics to get victims to hand over larger sums of money. We investigate the rise of double extortion attacks

This article can also be found in the Premium Editorial Download: Computer Weekly: The future of storage
Nicholas Fearn
  • Nicholas Fearn

Ransomware is one of the most common types of cyber threat, targeting a business every 14 seconds and costing $11.5bn in 2019 alone. Typically, hackers that perform these attacks will breach a system to steal data and delete it if the victim does not pay a ransom fee.

However, looking to raise the stakes and earn even more money from ransomware, cyber criminals are increasingly utilising a tactic that is becoming known as double extortion, whereby they not only encrypt data and demand a ransom from the victim in order to regain access but also threaten to upload it online if their terms are not met.

The rise of double extortion ransomware goes to show that cyber criminals are constantly expanding their arsenal. Paolo Passeri, cyber intelligence principal at software firm Netskope, says these attacks have become popular because they are the simplest way for hackers to make a profit.

Passeri says: “With double extortion attacks, even if a backup is available the attackers can put more pressure on the victim to pay the ransom. The increased pressure comes from the potential serious consequences of a data leak, for example economic and reputational damage. Groups like REvil [aka Sodinokibi] are even more creative – they don’t simply leak the data, they monetise it by auctioning it on the dark web and put even more pressure on their victims.”

When conducting a double extortion ransomware attack, hackers are beginning to spend more time on the overarching strategy. Passeri warns that crooks are no longer taking an opportunistic approach but are carefully selecting their target and method of attack in order to increase the money they make from ransoms. He explains that “the threat actors select their victims, choosing organisations whose businesses can be impacted by a data leak”.

Although spear phishing is the primary means for distributing double extortion ransomware, Passeri says cyber criminals are also exploiting vulnerabilities in on-premises devices such as VPN concentrators. “Over the past months (and this is an ongoing trend), almost all of the major VPN technologies have suffered severe vulnerabilities that have been exploited for similar attacks,” he says.

“This is unfortunate given the current situation with enforced working from 数字货币home where these legacy remote access technologies play a crucial role in guaranteeing business continuity during Covid-19. These systems are directly exposed to the Internet so the threat actors can scan them and subsequently exploit any discovered vulnerability.”

Read more about ransomware

  • Whatever you do: Don’t pay the ransom. Learn how the right tools and procedures can enable IT ops admins to prevent, mitigate and recover from a ransomware attack.
  • A series of Sophos reports on the ransomware threat landscape shows how security professionals can sniff out a potential ransomware attack before it happens.
  • Ransomware can take out backup systems, which are the last line of defence against data loss. To defend backups, data protection vendors are partnering with security companies.

Jakub Kroustek, head of threat intelligence systems at Avast, agrees that double extortion ransomware provides cyber criminals with more opportunity by enabling them to extort victims twice. “They can demand an initial payment for decrypting the files and a second for not making them public,” says Kroustek.

“This technique, also known as doxing, has been used by an increasing number of ransomware groups over the past year. The consequences of doxing are more severe for the victim, so they often comply with the demands. This means more money in the pockets of the cyber criminals for financing new ransomware strains and supporting other criminal activity.”

Improvements in malware and financial incentives for hackers have led to the growth of double extortion attacks, argues Comparitech privacy advocate Paul Bischoff. He tells Computer Weekly: “In the past, ransomware encrypted files and hackers stole data, but it was rare to do both.

“Now we have bots that can scan the web for unprotected data, steal it, encrypt or delete it, and leave a ransom note for the owner all in a single automated attack. The hacker can then collect a ransom for the data and sell the data to other criminals, double-dipping with minimal effort.”

An aggressive tactic

Over the past year, there has been an influx of double extortion ransomware attacks. John Chambers, director of IT, communication, workplace, business process and application services at electronics firm Ricoh UK, says they gained traction in late 2019 when high-profile hacking groups like Maze began “aggressively” leveraging this tactic.

“In these instances, the attacker would exfiltrate a copy of the data before encrypting them,” he says. “This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves.

“In order to claim responsibility and pressure the victim during the negotiation process, the attacker would often release small portions of the data online. Should negotiations stall or fail, the attacker would then either publish all of the exfiltrated data or sell them to third parties creating a significant data breach to the victim.”

To defend against these attacks, there are a number of different steps that businesses should take. “As well as usual cyber security best practices including keeping systems fully up to date with patching to ensure known vulnerabilities are resolved, it is imperative that organisations have a multi-layered security approach including looking at data loss prevention tools to stop the exfiltration of data that initiates these double extortion attacks,” says Chambers.

But what can organisations do if they are unable to successfully mitigate one of these attacks? Chambers explains: “To address a ransomware outbreak, organisations should look to include a Last Line of Defence that immediately isolates and stops ongoing illegitimate encryption when traditional prevention-based security has been compromised or bypassed. Robust backup processes including off-line copies should also be factored in to make it harder for the criminals to encrypt or disable critical data stores.”

Dire consequences

If an organisation becomes victim of a double extortion ransomware attack, there are often huge ramifications. Julian Hayes, partner at BCL Solicitors, says: “Badging themselves with dystopian names such as Maze, Netwalker and REvil, they are increasingly brazen, displaying exfiltrated data like online trophies and even sponsoring underground hacking contests to showcase their malware.

“For their victims, the consequences can be devastating; Travelex, the currency exchange service, has gone into administration with the loss of 1,300 UK jobs following a New Year’s Eve ransomware attack where a cyber gang demanded the company pay $6m in 48 hours or face publication of its customers credit card information, national insurance numbers and dates of birth.”

Clearly, it is crucial that businesses do all that they can to identify and stop these attacks before they cause major damage. “Preventing such attacks in the first place is far better than mitigating their effects, with all the financial cost and reputational damage they entail,” says Hayes.

“Most attackers gain access through human error and, along with technical measures such as internal data access management and backing-up, staff training and vigilance are key elements in an organisation’s defences.”

Victims essentially have two choices, both of which are costly, according to Hayes. Organisations either “refuse to pay and face a catastrophic data breach with exposure to painful regulatory fines and civil claims”, or they “pay the ransom without any guarantee of the data’s return”.

Dealing with double extortion ransomware

Although being impacted by ransomware can deal a devastating blow to any company, businesses should be wary when being asked to pay ransom fees. Jake Moore, a security specialist at ESET, says doing so could result in even bigger risks. “There is no certainty that these hackers won’t simply ask for more or release the data anyway,” he explains.

Instead, Moore urges businesses to secure their networks and conduct simulation tests to mitigate the threat of ransomware. “Such simulated attacks will help to highlight the vulnerabilities within an organisation without the risk of facing serious financial problems and having to answer some very difficult questions from both the ICO and your customers,” he says.

Kiri Addison, head of data science for threat intelligence and overwatch at Mimecast, says implementing strong resilience measures are the best way to prevent double extortion ransomware. “Ransomware is often a secondary infection, and threat actors are looking to exploit known vulnerabilities, particularly in relation to RDP, and servers and applications that are key to working from 数字货币home,” she says.

“Critical to mitigating this is ensuring vulnerabilities are patched in a timely fashion and that network data logs are monitored to detect any unusual activity or data exfiltration. There is therefore a potential window of opportunity to remediate any primary infection and thereby stop it developing into a ransomware attack.”


Meanwhile, organisations should educate their staff on the risks of double ransomware and how it is distributed. “Individual users can also assist greatly by being aware of the potential for unsafe attachments and should also be wary of clicking any email links received in any communication, particularly with the recent resurgence of Emotet,” says Addison.

Cath Goulding, CISO of Nominet, explains that there are two defence strategies for dealing with double extortion ransomware. “Firstly, robust backups, to ensure you’re not pushed into a corner if hackers do gain control of your data. Secondly, encryption, to ensure that if an attacker is threatening to expose the data, this too is protected against,” she says.

“These approaches should then be built into a broader strategy that includes basic cyber hygiene. From close monitoring of the network that could allow you to cut attackers off before data exfiltration, through to educating employees not to fall victim to phishing attacks that are often the root cause of a ransomware incident – all will play a vital part in building your cyber posture.”

The threat of double extortion ransomware is undeniable, with cyber criminals carefully targeting and crafting these attacks in a bid to increase the size of their ransoms. Often, organisations feel like they have no choice but to pay ransom fees to prevent sensitive data from being leaked. But in reality, this is a game of Russian roulette and stolen information can still make its way online. Therefore, the focus needs to be on prevention and mitigation.

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.
use the utopia ecosystem and you won't have to endure ransomware.


  • 5 ways to keep developers happy so they deliver great CX

    Companies need to work on ensuring their developers are satisfied with their jobs and how they're treated, otherwise it'll be ...

  • Link software development to measured business value creation

    Companies must balance customer needs against potential risks during software development to ensure they aren't ignoring security...

  • 5 digital transformation success factors for 2021

    With the right planning, leadership and skills, companies can use digital transformation to drive improved revenues and customer ...


  • 8 benefits of a security operations center

    A security operations center can help lessen the fallout of a data breach, but its business benefits go much further than that. ...

  • Weighing remote browser isolation benefits and drawbacks

    Remote browser isolation benefits end-user experience and an organization's network security. Compare the pros, cons and cost ...

  • Compare 5 SecOps certifications and training courses

    Explore five SecOps certifications available to IT professionals looking to demonstrate and enhance their knowledge of threat ...


  • Network pros share Cisco DevNet certification advice

    Cisco DevNet certifications require a lot of time investment, but network pros who pursue the certifications say the gained ...

  • Cloud automation use cases for managing and troubleshooting

    Cloud automation use cases highlight the benefits these tools can provide to companies evaluating how best to manage and ...

  • A look inside the official Cisco DEVASC 200-901 guidebook

    In this book excerpt, readers can explore the Cisco DEVASC 200-901 official guide and get a flavor of one of Cisco's newest exams...


  • Avoid server overheating with ASHRAE data center guidelines

    Finding the right server operating temperature can be tricky. ASHRAE standards provide guidance for all server classes and what ...

  • Hidden colocation cost drivers to look out for in 2021

    These unexpected charges and fees can balloon colocation costs for enterprise IT organizations.

  • 5 ways a remote hands data center ensures colocation success

    Off-site hardware upkeep can be tricky and time-consuming. With remote hands options, your admins can delegate routine ...


  • Ataccama automates data governance with Gen2 platform update

    Data management vendor Ataccama adds new automation features to its Gen2 platform to help organizations automatically discover ...

  • IBM to deliver refurbished Db2 for the AI and cloud era

    IBM has a tuned-up version of Db2 planned, featuring a handful of AI and machine learning capabilities to make it easier for ...

  • Fauna improves data API collaboration and security

    A database company founded by former Twitter engineers is pushing forward its vision of a way to consume database as a service ...