article featured image


Even though companies now understand the necessity of cybersecurity in the face of ransomware attacks, and started to take it more seriously, CISO Benchmark Survey named this malware number one in their list of initiatives for 2022. With increasingly high-profile ransomware incidents and ransomware gangs’ extensive operations, the issue of this type of cyberattack is far from being resolved.

The financial incentive determines malicious actors to add more layers to their attacks and expand the attack surface. This type of evolution led to the development of the triple extortion ransomware technique, the newest way for cybercriminals to maximize profits, adding a new tool to snatch money from victims.

How Ransomware Attacks Evolved

Traditionally a ransomware attack meant that a threat actor that manages to infiltrate a network would encrypt a company’s data, making it unable to use. Only after paying a ransom, the victim would receive the decryption key.

But it takes two to tango… so as organizations started to implement a backup system for their important data, hackers became more and more creative, adding new (and sophisticated) features to the attacks. The backup server or the network segmentation helped organizations to recover and restore after an incident, making many ransomware attacks inefficient.

This is when cybercriminals – like DoppelPaymer or Maze, back in 2019 – found a second way to persuade victims to pay a ransom, and the double extortion ransomware attack was born.

Before encrypting a network, the threat actors now make a copy of the data so they can use it in negotiations: if the victim refuses to pay a ransom, the sensitive data stolen from the network will be made public or sold on the black market.

Double threat ransomware made the backup server useless. With cybercriminals having access to sensitive information, even if an organization can restore its network, the problem of data being made public is still a concern. This type of attack became quickly popular, as 70% of the ransomware attacks in 2021 involved data extraction, according to HealthItSecurity.

What Is A Triple Extortion Ransomware Attack?

In a triple extortion attack, malicious actors seek money not only from the organization that was first targeted but also from anyone who might be impacted by the disclosure of that organization’s data.

If the initial target declines to pay the ransom, other attacks may be launched against them. For instance, if a business has successfully recovered data from backups and isn’t negotiating, the attackers may launch a distributed denial-of-service attack to exert more pressure.

How Triple Extortion Ransomware Works

As its name says, the triple extortion ransomware adds another layer to the ransomware attack. An extension of the double extortion attack, using most of its tactics, this time the malicious actor will choose an extra pressure point to get his victim to pay.

In addition to data encryption (the first layer), and the threat of leaking important data (the second layer), the cybercriminal can add another tactic of his choosing (the third layer).

The most common tactics are going after the victim’s clients, partners, affiliates, patients, associates, suppliers, etc. with ransom demands so their data will not be leaked, launching an additional Distributed Denial of Service attack (DDoS) over the target, or making phone calls to persuade them.

But here is where the criminal inventiveness is free, and we even have records of a case in which a company’s printers were highjacked. The hacker then ceaselessly printed ransom notes as a strategy to make them pay.

The first triple extortion ransomware took place in October 2020, targeting Vastaamo, a Finnish psychotherapy clinic. After breaching the clinic’s network and encrypting data, the cybercriminals reached the patients with ransom demands. The patients were threatened that information about their therapy sessions would be made public if they fail to pay.

As ransomware technologies and strategies adapt and transform, modern attacks can become a ransomware chain that does not have to end, reaching further and further to a link of victims.

The Numbers Are Up

Researchers show that the number of ransomware attacks is increasing year after year.

Only in 2021, the number of breaches increased by 518% compared to 2020, and the value of ransom transactions rose by 82% in the same period of time, according to Unit 42.

This translates into the fact that the average ransom asked by malicious actors was $50m in 2021, but it reached this height from an average of $847,000 in 2020.

The average payment for a ransomware attack in 2021 was $570,000, compared to $312,000 in 2020, which was already 171% more than in 2019. This indicates that a trend is already emerging.

Who Are the Victims?

The most obvious targets for triple extortion ransomware are companies and organizations that hold important customer data. As the ransomware gangs are researching thoroughly a target before launching an attack, the possibility of further extending the siege to one’s clients is appealing to them.

In this category of favorite preys fall: healthcare organizations, government entities, and large private firms.

But any organization that can be in any way linked to a valuable victim is not safe and may get attacked. A good example is the REvil ransomware attack over Quanta, a Taiwanese manufacturer of electronics. When Quanta refused to pay the ransom, the cybercriminal gang turned its attention to one of the company’s clients, Apple, who was pressured to pay in order to avoid having leaked its confidential data.

And let’s also acknowledge the reputational damage that such an incident can cause to a company from any sector. A data breach converts a legitimate business into a dangerous partner.

How to Prevent Triple Extortion Ransomware Attacks

It is as important to have a plan in case of an attack, as it is to prevent one. Once the cybercriminal infiltrates your network, we know now that the extent of the attack, the tactics used, and the damage done to you and your partners can not be foreseen.

Businesses should not just focus on responding to breaches, but also take proactive measures to protect networks and endpoints.

Here are some measures you can adopt to stay safe in the case of a triple extortion ransomware attack, or other types of ransomware attacks:

  • A regular backup of your data on a secure server will help you recover and resume activity a lot faster.
  • Update your security tools and software so you can have the best protection offered by them.
  • Use encryption in your favor. By encrypting sensitive information, exposed data will not be readable even if they are leaked.
  • Don’t forget about the human factor and invest in educating your employees. With the majority of ransomware attacks using phishing, a well-prepared team can make the difference.
  • The endpoint is where a large part of cyber incidents happen, so make sure you make endpoint protection a priority.
  • Do regular scans for vulnerabilities in your network and patch them as soon as possible, as well as monitor your network for any unusual activity.
  • Access to sensitive data should be very carefully granted only to certain users, and good password management should follow it.
Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

How Can Heimdal® Help?

Installing a good anti-ransomware solution could save you a lot of time and money. Heimdal® is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).

There are a few easy steps we can take to prevent ransomware. Cybercriminals can affect your data and security to the extent that you allow them to.

For additional details on how to avoid ransomware, feel free to check out my colleague’s article on how to prevent ransomware.

Wrapping Up…

Losing money in the case of a successful ransomware attack is most likely, as any organization, even if it can recover its data from backup, fears having internal data and partners’ information exposed.

This makes this type of malware very profitable for cybercriminals who feel encouraged to invest in developing new features for their attacks.

In the face of continuous change and evolution of ransomware threats, prevention by implementing a series of measures and technologies is the best tactic.

If you liked this article, make sure you follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo