Tech Accelerator What is ransomware? How it works and how to remove it

Definition

double extortion ransomware

Sean Michael Kerner

By

Sean Michael Kerner

What is double extortion ransomware?

Double extortion ransomware is a novel form of malware that combines ransomware with elements of extortionware to maximize the victim's potential payout. In addition to encrypting data, as in a traditional ransomware attack, a double extortion ransomware attack involves threat actors stealing the victim's data as well.

In a traditional ransomware attack, system data is locked and encrypted until the victim agrees to pay the attacker to get the data back. This has proven unsuccessful for attackers, however, because victims can often restore their data and systems from backups.

Double extortion ransomware evolved to take traditional ransomware a step further. Ransomware operators not only encrypt data and hold it for ransom, but they also steal the victim's data and move it to a separate location. Victims now face the new threat that private and sensitive data will be publicly leaked or sold on the dark web. This tactic gives a leg up to the attackers because they have an additional way to extort victims into paying a ransom. Victims may be able to restore encrypted files through backups after a double extortion ransomware attack, but they still must deal with the prospect that confidential information might be disclosed.

The first public reports of double extortion ransomware surfaced in 2019, originated by a diverse set of criminal organizations that included the REvil ransomware gang and the Maze ransomware group TA2102.

This article is part of

What is ransomware? How it works and how to remove it

Which also includes:
The 10 biggest ransomware attacks in history
How to recover from a ransomware attack
How to prevent ransomware in 6 steps

How a double extortion ransomware attack works

Double extortion ransomware starts like a traditional ransomware attack. Among steps malicious actors take are the following:

Initial access. An attacker or threat adversary group gains access to a victim's system. Common approaches include a phishing attack, where an email is crafted in a way to trick the user into clicking on an embedded link or downloading a malicious file; malware that is delivered via email, a malicious website or a watering hole attack; malware designed to exploit known vulnerabilities that the individual or organization has not patched; or a zero-day vulnerability. Lost or stolen credentials -- sometimes gathered from an existing data breach or via brute-force attacks -- could also be used to access victim systems.
Lateral movement across a network. Once an attacker gains access, the next step is to see what else can be accessed. At this step, the attacker moves laterally across a network to access as many high-value assets as possible. This step may also include privilege escalation.
Data exfiltration. This step is added in double extortion attacks. After high-value assets have been identified, the attacker steals and moves or exfiltrates them to a remote site.
Data encryption. Data is encrypted and locked; the victim can no longer access files or information.
Ransom demand. Once the data is encrypted, the attacker makes a ransom demand.
Payment or recovery. The victim makes the ransom payment to unlock their files or recovers their files and systems from backups or other methods.
Double extortion ransom demand. If the victim can back up their systems and refuses to pay the ransom, the attacker threatens to publicly post their data or sell it on the dark web, thus demanding another ransom payment. Even if the victim pays the original ransom, the attacker may strike again for a bigger payout.

Graphic displaying the sequence of events in a ransomware attack — Traditional ransomware attacks don't include data exfiltration for extortion.

Examples of double extortion ransomware

Publicly reported incidents of double extortion ransomware include the following:

Maze ransomware. The Maze ransomware attacks, attributed to a group sometimes referred to as TA2102, targeted a variety of organizations, among them IT services giant Cognizant in 2020.
REvil. The REvil ransomware was implicated in the successful attack against IT management vendor Kaseya in 2021.
DarkSide. DarkSide ransomware was a primary element in the 2021 supply chain attack against Colonial Pipeline, which disrupted fuel supplies in the southeastern United States.
BlackMatter. The BlackMatter ransomware group, reportedly a successor to either DarkSide or REvil, successfully attacked agriculture technology firm New Cooperative in 2021.
LockBit. LockBit, active since 2019, has increasingly added double extortion ransomware capabilities that some researchers suspect were taken from BlackMatter. According to a CISA advisory, LockBit has been responsible for 1,700 ransomware attacks in the United States since 2020.

Graphic displaying the sequence of a double extortion ransomware attack — Double extortion ransomware attacks take traditional ransomware attacks one step further.

How to prevent double extortion ransomware

Double extortion ransomware can wreak havoc on a business, denying access to critical data and exposing sensitive information in a public forum. Individuals and organizations should take proactive steps to better prepare to defend against and recover from a double extortion ransomware attack. Ransomware prevention steps include the following:

Strong authentication and access policies. A successful double extortion ransomware attack depends on gaining system access. By locking down system and user authentication -- using strong protocols and multifactor authentication -- organizations make it significantly more difficult for ransomware threat actors to access a system.
Network defense in depth. A comprehensive defense-in-depth strategy flags intrusions before they become dangerous. Use a combination of firewalls, network traffic analysis tools, intrusion prevention and detection systems, web filtering and endpoint scanning.
Threat hunting. Threat hunting tools actively look for potential threats that might have somehow bypassed network fortifications.
Cybersecurity awareness training. Social engineering and phishing attacks are a popular way to launch double extortion ransomware attacks. Limit risk by training all employees and contractors who have access to the network.
Data loss protection (DLP) tools. DLP technologies are specifically tailored to help organizations ensure sensitive and private information doesn't leave the network.
Continuous backups. Ransomware is all about denying access to data. Maintain properly configured continuous backup at a secure and remote location to improve the ability to recover quickly from a ransomware incident.
Tabletop exercise planning. Schedule ransomware tabletop exercises to ensure IT operations staff is ready to respond to an incident with recovery plans when and if a ransomware attack occurs.

This was last updated in September 2023

Continue Reading About double extortion ransomware

Malware vs. ransomware: What's the difference?

The history and evolution of ransomware

Types of ransomware and a timeline of attack examples

Top 3 ransomware attack vectors and how to avoid them

3 ransomware detection techniques to catch an attack

Dig Deeper on Threats and vulnerabilities

Why GenAI infrastructure optimization starts with the network
GenAI deployment requires optimized infrastructure. The networking aspects, such as workload placement and the type of deployment...
Cisco charts new security terrain with Hypershield
Initially, Hypershield protects software, VMs and containerized applications running on Linux. Cisco's ambition is to eventually ...
Is network automation adoption necessary?
Automation is not a one-size-fits-all strategy for every network problem. Enterprises must examine their network's needs to ...

CIO

Election might decide fate of FTC noncompetes ban
If the FTC's ban on noncompete agreements survives legal challenges, it might still face problems should there be an ...
FTC bans noncompete agreements in split vote
Now that the FTC has issued its final rule banning noncompete clauses, it's likely to face a bevy of legal challenges.
Ally's generative AI strategy eyes multiple LLMs, AI agents
The digital bank plans to privately host multiple LLMs on its GenAI platform, explore autonomous agent technology and evaluate ...

Enterprise Desktop

Creating a patch management policy: Step-by-step guide
A comprehensive patch management policy is insurance against security vulnerabilities and bugs in networked hardware and software...
How to remove a device from Intune enrollment
When a device reaches its end of life, IT needs to remove that device from any management software, such as Microsoft Intune. But...
Windows XP EOL anniversary: 10 years of endpoint evolution
Windows XP EOL meant upgrading to Windows 7, but times have changed. IT pros can use the next upgrade cycle as an opportunity to ...

Cloud Computing

Troubleshooting 7 common errors in AWS CloudFormation
Errors can occur when an AWS developer builds a CloudFormation template, launches a stack or rolls back an update. Prevent and ...
Explore CASB use cases before you decide to buy
CASB tools help secure cloud applications so only authorized users have access. Discover more about this rapidly evolving ...
10 cloud vulnerabilities that can cripple your environment
Enterprises can be devastated by security-related weaknesses or flaws in their cloud environments. Find out where you are most ...

ComputerWeekly.com

Post Office scheme was a ‘charade’ that never intended for large compensation pay-outs
The Post Office established a scheme to compensate subpostmasters affected by tech faults, but it was just a ‘charade’, says ...
Security Think Tank: Maybe let's negotiate with terrorists
In the wake of renewed calls for lawmakers to consider enacting legal bans on ransomware payments, the Computer Weekly Security ...
Microsoft sees datacentre investments key to AI leadership
Microsoft is reportedly spending between $50 to $100m to build out AI infrastructure

Close