Double-Extortion Ransomware: Be Aware & Prepare

Written by: Andrew Jordan

The widespread panic surrounding the COVID-19 pandemic put many organizations in a vulnerable position, and malicious actors took advantage to exploit employees and systems through cybersecurity attacks. One of the primary tactics was the use of ransomware. According to Bitdefender’s Mid-Year Threat Landscape Report, ransomware attacks increased by 715% in 2020—and always-evolving technology and advancements in these attacks are creating harsher threats that could jeopardize the integrity, confidentiality, and availability of information.

Ransomware is a form of malware used to encrypt files and information on a network or device, causing any systems that rely on the compromised data to be unusable until decrypted. Traditionally, the attacker’s objective was to demand a ransom payment for the cryptographic key to unlock the data. However, attackers are improving their tactics, and organizations must begin to reassess the threat.

Double-Extortion Ransomware

Hackers are now using double-extortion ransomware as a means of exploitation. During this approach, in addition to encrypting your data and selling you the key, attackers will leak or sell any exfiltrated data incrementally until a ransom is paid. This creates additional pressure for the victim to acquiesce to the attacker’s demands. The attacker may even threaten to leak data after you’ve already paid for the decryption key—which challenges your willingness to pay a second time.

According to F-Secure’s report Attacks Landscape Update, 15 different ransomware families used double-extortion in 2020, where only one family used it in 2019. Almost 40% of all ransomware families found in 2020 used this method.

Recently, attackers have increased the stakes even further by targeting the customers of their victims.  In this scenario, the customer receives a notification stating that the organization has been hacked, and the customer’s data will be sold on the dark web if the organization doesn’t pay. The attacker’s goal is to make the customer pressure the organization into paying the ransom. This could mean multiple customers reaching out with significant concerns or even panic, and could negatively impact reputation and trust.

How to Detect Double-Extortion: Know the Signs

Ransomware can infect a network in multiple ways, but the most common vector is phishing emails. In this situation, a malicious email is sent to a user masquerading as a file or link they can trust. Once the email is opened or downloaded, the attacker can take over the victim’s device and potentially other networked devices. The impacts of COVID-19 created a perfect storm for attackers to capitalize on the uncertainty felt by many individuals. Between February and April 2020:

  • Cyberattacks against banks increased by 238% according to VMware Carbon Black
  • Phishing attempts increased by 600% according to KnowBe4
  • Overall cybersecurity crimes increased 300% according to the Federal Bureau of Investigation (FBI)

Common phishing emails have included links for advice or news regarding COVID-19, stimulus payments, vaccine scheduling, and other current events. Those who receive these emails may be more susceptible if they’re in an unfamiliar remote working environment, or if they have an emotional interest in the bait.  The user response rate to phishing emails for many organizations increased during the pandemic. It’s more important than ever for institutions to educate their employees on security awareness, and specifically current threats, so they can identify how to avoid and report a phishing email. Recognizing the signs of a phishing attempt is essential to prevent the possibility of falling victim to a double-extortion ransomware attack.

Prevent & Mitigate

Preventive controls are still your first line of defense to ensure these threats don’t impact your organization. These include:

  • Technical controls to detect and inhibit malware, ensure the security and integrity of your backups, and insulate components of your network from each other
  • Educational controls for employees to react effectively to social engineering and phishing attempts

Effective response planning should also be prioritized. If this type of threat were to affect you, what would you do? The best way to handle a ransomware attack is to be prepared and develop strategies for remediation. You should have comprehensive disaster recovery, business continuity, and incident response plans that are built and tested to account for these types of attacks. Tabletop and threat emulation exercises will also help identify any gaps in your readiness.


It’s recommended that organizations never pay a ransomware demand. As exemplified by the new double-extortion tactics, there’s no guarantee that the attacker will honor their word if you pay. The sharp uptick in cyberattacks combined with the latest developments in ransomware tactics should alert organizations to the need to bolster cybersecurity controls against these new attacks.