article featured image


With more and more businesses learning how to avoid paying huge amounts of money to ransomware actors by maintaining up-to-date backups and having disaster recovery plans in place, the number of victims forced to pay ransom started to decrease.

Even so, according to a study conducted by Cloudwards, in 2021, 37% of all businesses and organizations participating in the study were hit by ransomware and out of all, 32% paid the ransom but recovered only 65% of their data.

According to the 2022 Thales Data Threat Report, which polled about 2,800 respondents in 17 countries, 21% of all respondents have been the victim of a double extortion ransomware assault, with 43% being substantially impacted.

Nearly half (45%) of respondents said that in the previous year, cyberattacks had grown in size, frequency, or severity. More than 60% of respondents asked to rate their top threats placed financially motivated hostile insiders among the top four.

Even if companies started to learn new “tricks” when it comes to ransomware, the developers behind this kind of attack continue to adapt, rethink their tactics and find new ways to pressure their victims into paying the ransom. One of their relatively new famous technique is double extortion ransomware.

What Is Double Extortion Ransomware and How Does it Work?

Double extortion, also known as pay-now-or-get-breached refers to a growing ransomware strategy and the way it works is that the attackers initially exfiltrate large quantities of private information, then encrypt the victim’s files. Following the encryption, the attackers threaten to publish the data unless a ransom is paid.

In a double extortion ransomware attack, the attacker accesses the victim’s network using several recognized techniques and threat vectors. The operator then conducts network discovery to identify and secure access to high-value assets from throughout the network and associated endpoints, after which they are exfiltrated to the operator’s storage network.

The threat actor infiltrates the network laterally before encrypting the data and requesting a ransom. If the ransom is unpaid, the perpetrators frequently sell or post the stolen data in online forums and blogs.

It’s a fact that there’s been a significant rise in the number of ransomware attackers that threaten to leak stolen data from those who don’t pay the ransom for the decryption key.

Double Extortion Ransomware Attack Sequence

The typical steps that cybercriminals take while launching a double extortion ransomware attack are as follows:

  1. The threat actor gets initial access to the victim’s system by any means required.
  2. The hacker then searches the network for all the sensitive data they can get their hands on.
  3. The data is then exfiltrated by the attacker or ransomware gang.
  4. The system is subsequently infected with the ransomware that the attacker has chosen.
  5. The data is now encrypted.
  6. Access to the information kept hostage is prohibited for the victim.
  7. The ransom is demanded, and what will happen if it is not paid is pretty obvious and clear.
  8. Once the ransom is paid, the data should be recovered and access permitted; however, remember that this is not always the case.
  9. If the ransom is not paid, the data is released, destroyed, or sold like we previously mentioned. This one is especially painful if you don’t have data backups. 

Origins of Double Extortion Ransomware

Cybercriminals have allegedly started to adopt this unique attack tactic in late 2019 with the first published double extortion ransomware case involving Allied Universal, the American provider of security systems and services.

As we said, the attack on the American company took place in November 2019. When the organization refused to pay 300 bitcoin, the ransomware gang increased the ransom request by 50% and threatened to use stolen information along with stolen emails and domain name certificates in a spam operation pretending to be Allied Universal.

The attackers leaked some of the stolen information such as certificates, contracts, and medical documentation to show they are being serious about their demands. They even posted a link to 10% of the data they exfiltrated. Allied Universal received a two weeks deadline before the rest of 90% will be exposed as well. The name of the used ransomware was the popular Maze.

According to Check Point researchers, the Maze ransomware gang has since exposed personal information for dozens of businesses, law companies, healthcare providers, and insurance organizations that have refused to comply with their demands.

Many other companies are believed to have avoided the public release of confidential data by paying the requested ransom.

In the first six months of 2020, hundreds of companies had allegedly been hit with double extortion ransomware attacks.

What Other Ransomware Groups Use Double Extortion?

Some ransomware gangs that are very prosperous in the double extortion business are Revil/ Sodinokibi (Travelex), Netwalker, and DoppelPaymer, but they are not the only ones. Conti and Egregor ransomware groups have rapidly followed in their footsteps and became some of the most productive cybercriminal groups in 2021.

After examining ransomware DLSs in 2021, Group-IB analysts concluded that Conti was the most hostile ransomware threat actor, leaking information about 361 victims (16.5% of all victim businesses whose data was published on DLSs).

As stated by Group-IB, the United States had the most double-extortion victims (968), followed by Canada with 110 and France with 103. Manufacturing, education, financial institutions, medical services, and commerce were the most affected sectors.

Double-Extortion Ransomware Damage Increases by 935%

According to Group-IB’s Hi-Tech Crime Trends Report 2021/2022, the increase of the ransomware industry happened due to a combination of poor corporate security and a thriving ransomware-as-a-service (RaaS) affiliate market. As mentioned in the report, access to compromised networks is currently very inexpensive. Thanks to an increase in the number of initial-access brokers and RaaS tools, ordinary petty criminals may turn into full-blown hackers in just a few hours for just a few dollars.

According to cybersecurity experts, the collaboration between ransomware developers and corporate-access brokers has resulted in a 935% increase in the number of companies that had their stolen data made public on a data leak site (DLS).

Ransomware organizations have increasingly employed the double extortion tactic, and the report shows that these groups are carrying on with the threats.

Double Extortion Ransomware Protection

In 2022, double extortion ransomware is expected to grow even more. In order to prevent becoming a victim of double extortion, you can take initiative on the matter by installing the most recent software updates and enabling two-factor authentication.

Also, as ransomware is most of the time delivered via phishing attacks, organizations must educate their staff to:

  • Identify and avoid phishing scams;
  • Know what measures to take if they think they received a phishing email;
  • Know what to do if they experience a phishing attack especially that many employees are working remotely and do not benefit from the same resources as if they were physically at the office.

In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Wrapping Up

The thought behind the double extortion ransomware assaults is that even if the impacted company thinks it can fix its network without paying the amount of money requested by attackers, the idea that their staff and client’s private data could be exposed might push companies to give in to extortion and make the payment.

It is not recommended to pay the ransom as there is no assurance that the hackers involved in the ransomware attack will delete the stolen information.

Unfortunately, this kind of cyber assault has become exceptionally profitable for ransomware gangs. Over the past year, cybersecurity specialists have followed the activity of more than 24 dark web leak websites linked with ransomware attacks meaning that more and more hackers adopt this form of blackmail.

Do you work for an NHS Trust? Heimdal is giving you free ransomware licenses to combat growing cyberattacks.

Get your free ransomware protection here.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube, for more cybersecurity news and topics.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *