What is triple extortion ransomware?
Triple extortion ransomware is a type of ransomware attack where a cybercriminal extorts their victim multiple times, namely by encrypting data, exfiltrating data to expose and threatening a third attack vector.
In a traditional ransomware attack, an attacker encrypts and locks the victim from accessing their data. In a double extortion ransomware attack, a second attack vector -- exfiltrating data to expose -- is added. Victim organizations can often recover from a traditional ransomware attack using backups. By exfiltrating data in a double extortion attack, the attacker has another chance to extort the victim -- or demand two ransoms. Attackers can threaten to publish, leak or sell the stolen data on the dark web if a second ransom isn't paid.
A triple extortion ransomware attack adds a third attack vector and the potential for a second -- or third -- ransom. This third attack vector could be a distributed denial-of-service (DDoS) attack or intimidation of the victim's customers, employees and stakeholders into paying a ransom.
With the triple extortion approach, attackers aim to compel victims into paying multiple ransoms by introducing extra threats and risks beyond just blocking access to data.
Double and triple extortion ransomware attacks are on the rise. Cybersecurity firm Venafi reported in 2022 that 83% of ransomware attacks included multiple ransom demands.
How does a triple extortion ransomware attack work?
At the initial stages, a triple extortion ransomware attack follows the same basic attack sequence as a common ransomware attack but adds the second and third attack vectors. A typical triple extortion ransomware attack has the following steps:
- Initial access. Attackers gain entry into their victim's network, often through phishing, malware, vulnerabilities or stolen credentials.
- Lateral movement and asset discovery. Once they have access to the network, attackers probe deeper into an environment to elevate privileges and find potentially valuable data.
- Data exfiltration. Once identified, high-value assets are stolen to use in a double extortion attack.
- Encryption of files. Attackers encrypt the data to prevent the victim from accessing it.
- Ransom demand. With the data encrypted and exfiltrated, attackers send a ransom note to the victim demanding payment, typically in a cryptocurrency, to receive the decryption key and regain access.
- Double extortion ransom demand. If the victim organization is able to restore its data from backups -- or even if it paid the first ransom -- the malicious actors return for a second attack and demand a second ransom payment to prevent them from publishing or leaking the victim's sensitive data.
- Triple extortion ransom demand. In the third attack, attackers threaten additional exploitation, such as a DDoS attack or even approaching the victim organization's customers, employees and third parties to demand a payment.
Beware: Malicious actors often demand increasingly higher payments with each additional ransom. Law enforcement agencies discourage organizations from paying the ransom, but many organizations still opt to pay. Consult with ransomware negotiation services to get the best outcome.
Double extortion ransomware vs. triple extortion ransomware
Double extortion ransomware and triple extortion ransomware are similar in many respects. The main difference between double extortion and triple extortion ransomware is that triple extortion adds a third threat vector. The goal for double and triple extortion ransomware is to put additional pressure on victims to pay even more money to prevent further attacks.
|Traditional ransomware||Double extortion ransomware||Triple extortion ransomware|
|Encrypts files on the victim's system.||Encrypts files on the victim's system.||Encrypts files on the victim's system.|
|Exfiltrates data and threatens to publish or leak it if the ransom isn't paid.||Exfiltrates data and threatens to publish or leak it if the ransom isn't paid.|
|Threatens to disrupt the victim organization's operations through attacks, such as a DDoS, if the ransom isn't paid. Attackers sometimes opt to seek a ransom payment by threatening the victim's customers, employees and stakeholders.|
Notable examples of triple extortion ransomware
Since 2020, several ransomware groups have expanded on ransomware attacks through triple extortion ransomware. Some examples are the following:
- AvosLocker. A ransomware-as-a-service operation, AvosLocker was active in 2022, leading to an FBI advisory warning about the group.
- BlackCat. Also known as ALPHV, the BlackCat ransomware group became a major threat in 2022 with attacks against fuel and aviation companies, as well as universities. In 2023, the group claimed responsibility for the cyber attack on Barts Health NHS Trust.
- Hive. The Hive ransomware group executed large triple extortion ransomware attacks until late 2022 when U.S. law enforcement disrupted its operations.
- Vice Society. In 2022 and 2023, Vice Society emerged as a triple extortion ransomware threat, targeting public sector and educational organizations. In February 2023, Vice Society claimed it had successfully attacked the San Francisco Bay Area Rapid Transit system.
- Quantum. The Quantum ransomware gang was active in 2022 and known for selling victim data. Among its many victims was the Glenn County Office of Education in California, which paid a $400,000 ransom.
How to prevent triple extortion ransomware
To prevent and limit the risk of triple extortion ransomware attacks, follow these best practices:
- Strengthen access controls. Use strong passwords and multifactor authentication, limit administrative privileges to servers, and disable or restrict access to Remote Desktop Protocol.
- Deploy patches and software updates. Ensure all OSes, software and firmware are patched and up to date.
- Tighten network security. Secure networks with microsegmentation and virtual LANs to reduce the risk of attackers moving laterally across a network. Make sure firewalls are in place alongside intrusion prevention and detection systems.
- Implement monitoring and logging. Monitor networks for suspicious connections, scan logs for indicators of compromise and watch for signs of credential misuse.
- Conduct cybersecurity awareness training. Teach employees about phishing and social engineering. Raise awareness of suspicious emails, URLs and attachments.
- Create an incident response plan. Develop and test a ransomware incident response plan. Ensure it covers detection, analysis and containment.
- Backups and recovery. Maintain regular offline, encrypted backups, and store them in a location separate from the production network. Regularly test restoration capabilities from backups. Consider buying cyber insurance to offset any costs if a ransomware incident does occur.