6 stages of the ransomware lifecycle triple extortion ransomware

double extortion ransomware

What is double extortion ransomware?

Double extortion ransomware is a novel form of malware that combines ransomware with elements of extortionware to maximize the victim's potential payout. In addition to encrypting data, as in a traditional ransomware attack, a double extortion ransomware attack involves threat actors stealing the victim's data as well.

In a traditional ransomware attack, system data is locked and encrypted until the victim agrees to pay the attacker to get the data back. This has proven unsuccessful for attackers, however, because victims can often restore their data and systems from backups.

Double extortion ransomware evolved to take traditional ransomware a step further. Ransomware operators not only encrypt data and hold it for ransom, but they also steal the victim's data and move it to a separate location. Victims now face the new threat that private and sensitive data will be publicly leaked or sold on the dark web. This tactic gives a leg up to the attackers because they have an additional way to extort victims into paying a ransom. Victims may be able to restore encrypted files through backups after a double extortion ransomware attack, but they still must deal with the prospect that confidential information might be disclosed.

The first public reports of double extortion ransomware surfaced in 2019, originated by a diverse set of criminal organizations that included the REvil ransomware gang and the Maze ransomware group TA2102.

How a double extortion ransomware attack works

Double extortion ransomware starts like a traditional ransomware attack. Among steps malicious actors take are the following:

  • Initial access. An attacker or threat adversary group gains access to a victim's system. Common approaches include a phishing attack, where an email is crafted in a way to trick the user into clicking on an embedded link or downloading a malicious file; malware that is delivered via email, a malicious website or a watering hole attack; malware designed to exploit known vulnerabilities that the individual or organization has not patched; or a zero-day vulnerability. Lost or stolen credentials -- sometimes gathered from an existing data breach or via brute-force attacks -- could also be used to access victim systems.
  • Lateral movement across a network. Once an attacker gains access, the next step is to see what else can be accessed. At this step, the attacker moves laterally across a network to access as many high-value assets as possible. This step may also include privilege escalation.
  • Data exfiltration. This step is added in double extortion attacks. After high-value assets have been identified, the attacker steals and moves or exfiltrates them to a remote site.
  • Data encryption. Data is encrypted and locked; the victim can no longer access files or information.
  • Ransom demand. Once the data is encrypted, the attacker makes a ransom demand.
  • Payment or recovery. The victim makes the ransom payment to unlock their files or recovers their files and systems from backups or other methods.
  • Double extortion ransom demand. If the victim can back up their systems and refuses to pay the ransom, the attacker threatens to publicly post their data or sell it on the dark web, thus demanding another ransom payment. Even if the victim pays the original ransom, the attacker may strike again for a bigger payout.
    Graphic displaying the sequence of events in a ransomware attack
    Traditional ransomware attacks don't include data exfiltration for extortion.

    Examples of double extortion ransomware

    Publicly reported incidents of double extortion ransomware include the following:

    • Maze ransomware. The Maze ransomware attacks, attributed to a group sometimes referred to as TA2102, targeted a variety of organizations, among them IT services giant Cognizant in 2020.
    • REvil. The REvil ransomware was implicated in the successful attack against IT management vendor Kaseya in 2021.
    • DarkSide. DarkSide ransomware was a primary element in the 2021 supply chain attack against Colonial Pipeline, which disrupted fuel supplies in the southeastern United States.
    • BlackMatter. The BlackMatter ransomware group, reportedly a successor to either DarkSide or REvil, successfully attacked agriculture technology firm New Cooperative in 2021.
    • LockBit. LockBit, active since 2019, has increasingly added double extortion ransomware capabilities that some researchers suspect were taken from BlackMatter. According to a CISA advisory, LockBit has been responsible for 1,700 ransomware attacks in the United States since 2020.
    Graphic displaying the sequence of a double extortion ransomware attack
    Double extortion ransomware attacks take traditional ransomware attacks one step further.

    How to prevent double extortion ransomware

    Double extortion ransomware can wreak havoc on a business, denying access to critical data and exposing sensitive information in a public forum. Individuals and organizations should take proactive steps to better prepare to defend against and recover from a double extortion ransomware attack. Ransomware prevention steps include the following:

    • Strong authentication and access policies. A successful double extortion ransomware attack depends on gaining system access. By locking down system and user authentication -- using strong protocols and multifactor authentication -- organizations make it significantly more difficult for ransomware threat actors to access a system.
    • Network defense in depth. A comprehensive defense-in-depth strategy flags intrusions before they become dangerous. Use a combination of firewalls, network traffic analysis tools, intrusion prevention and detection systems, web filtering and endpoint scanning.
    • Threat hunting. Threat hunting tools actively look for potential threats that might have somehow bypassed network fortifications.
    • Cybersecurity awareness training. Social engineering and phishing attacks are a popular way to launch double extortion ransomware attacks. Limit risk by training all employees and contractors who have access to the network.
    • Data loss protection (DLP) tools. DLP technologies are specifically tailored to help organizations ensure sensitive and private information doesn't leave the network.
    • Continuous backups. Ransomware is all about denying access to data. Maintain properly configured continuous backup at a secure and remote location to improve the ability to recover quickly from a ransomware incident.
    • Tabletop exercise planning. Schedule ransomware tabletop exercises to ensure IT operations staff is ready to respond to an incident with recovery plans when and if a ransomware attack occurs.

    This was last updated in September 2023

    Continue Reading About double extortion ransomware

    Dig Deeper on Threats and vulnerabilities

    Enterprise Desktop
    Cloud Computing