background image


What is Double Extortion Ransomware?


Ransomware attacks aimed at governments worldwide rose by a whopping 1,885% in 2021, indicating that it is one of the most prominent security threats. The spike results from security being relegated to a secondary position in a rush to embrace digital technologies in the aftermath of the pandemic-driven disruptions. 

While attempts to bridge the gap in security are experiencing a newfound interest, malicious agents are evolving new techniques to match the progress. One of the hackers' more sophisticated attack techniques is double extortion ransomware. Reports suggest double extortion ransomware attacks surged 935% between 2020 and 2021. 

The spike in ransomware attacks has prodded Chief Security Officers worldwide to make it a top priority; in Canada, 35% of companies plan to set up improved security measures. However, double extortion ransomware will likely pose serious threats to businesses in 2022 and beyond despite the efforts to combat it. 

What is double extortion ransomware?

Double extortion ransomware is also known as pay-now-or-get-breached or name-and-shame ransomware. This ransomware gets its name from the way it operates. In double extortion ransomware attacks, hackers exfiltrate the victim's data in addition to encrypting their files. Later, the attackers threaten to publish the data publicly if the ransom is not paid.

Here is how it works:

  1. Infect a target system

  2. Steal sensitive files and information

  3. Encrypt all files on the system 

  4. Make the first ransom demand in exchange for allowing access to the files 

  5. Make the second ransom demand by threatening to leak the sensitive files

In 2019, a criminal organization named TA2102 perpetrated the first-ever double extortion ransomware attack on Allied Universal, a security staffing company. The attackers demanded US$ 2.3 million and threatened to publish the data online if the company didn't meet their demands. Since then, the number of such incidents has only grown. Tech giants like Accenture, Cognizant, and more have been victims of such attacks.

Types of double extortion ransomware families

Since the first attack in 2019 using Maze ransomware, the number of double extortion ransomware families has grown. Some are:

  • DarkSide: responsible for the Colonial Pipeline ransomware attack that shut down the main pipeline supplying 45% of fuel to the East Coast of the US

  • Egregor: over 150 attacks have been attributed to this ransomware

  • Conti: it prompted a national emergency in Costa Rica

  • DoppelPaymer (BitPaymer family): this ransomware was used to attack Mexico's state-owned oil company, costing it US$ 4.9 million

  • REvil/Sodinokibi: ransomware that exploits a software vulnerability. It is estimated to account for 14% of all ransomware attacks

Preventive measures

The biggest reasons for the increase in ransomware attacks are poor corporate security and a thriving ransomware-as-a-service affiliate market. Businesses can no longer afford to take security lightly. Companies need to stay a step ahead and deploy proactive and preventive measures to counter ransomware attacks.

Here are a few best practices to help prevent ransomware attacks:

  • Adopt a zero-trust security policy. Limit and grant access only based on

    identity and context and only to a minimal set of resources.

  • Identify and create enterprise-wide awareness and steps to tackle phishing scams.

  • Minimize the number of resources visible to the internet by securing access with a proxy-based brokered exchange to connect authenticated users directly to applications.

  • Identify the organization’s Vital Data Assets (VDA) and deploy capabilities to secure and restore them in case of an incident. For example, creating a failsafe copy of the data. 

Wrapping up

Cyber threats are evolving and constantly changing. We have already seen basic ransomware attacks evolve to double extortion ransomware, and we are now seeing another layer of threat with triple extortion ransomware. Businesses need to be alert and take all possible measures to protect themselves against such attacks. Cybersecurity is no longer an option; it is a necessity.

The effects of a ransomware attack can be devastating for a business. Not only can it lead to loss of data, but also loss of customers and revenue. In some cases, it can even lead to bankruptcy.

Ransomware Penetration Testing

Ransomware penetration testing evaluates the preparedness and risk of a ransomware attack. In addition to a complete analysis of the security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374), and a technical assessment of security controls, a full penetration test is conducted to measure the robustness of your systems.