Select Page

The term Double-extortion ransomware started to spread a year and a half ago. At that time, only one known threat actor was exploiting it. But nowadays, more than 16 ransomware make use of this technique.

So, what is it, and why has it become so popular?

Let’s find out exactly that.


What Is Double-Extortion Ransomware & How Does It Work

Different from traditional Ransomware attacks, as the name indicates, double-extortion or pay-now-or-get-breached starts by exfiltrating the victim’s private information and proceeding to encrypt it.  But threatens to expose it online or sell to the highest bidder, instead of only destroying it if the victim refuses to pay the ransom or fails to do it timely.

This second step makes business backups and file storage practically worthless.

So far, the first published case of double-extortion ransomware known was against an American provider of security systems/services, called “Allied Universal” in 2019. The ransomware gang used Maze and asked for 300 bitcoin of which the organization refused to pay. 

Therefore, the ransom request was increased by 50%, and stolen information (certificates, contracts, and medical documentation) was leaked as well by the attackers to show the attack’s seriousness. 

They also threatened to use such data to pretend to be the company in a spam operation.

Allied Universal got 10% of their data exfiltrated and the 90% rest after a two weeks deadline.


Double-Extortion Ransomware Trend (“The New Normal”)

According to experts, both ransomware developers and corporate-access brokers have provoked a 935% increase in “companies that had their stolen data made public on a DLS (data leak site).”

Overall Size of the Initial Access Market


And according to Group-IB’s Hi-Tech Crime Trends Report 2021/2022, the ransomware industry is also increasing day by day. This is caused by a combination of poor corporate security and the ever-expanding RaaS affiliate market. And the fact that today’s ransomware attacks are becoming multi-layered, to a point where they don’t necessarily have an “end” might keep increasing the frequency of attacks, instead of stopping soon.

Considering that 70% of the attempts now also exfiltrate data (double-extortion ransomware) let us know that the term is becoming a misnomer (ransomware attack denoting a singular problem, consisting of a single “stage”). So, no more decryption key afterward?

That’s just the tip of the iceberg. We’re already seeing new layers being added to ransomware attacks, to the point of having a third and a fourth possibly targeted in the future, combined with other types of attacks to pressure or new leak points.

A triple-extortion ransomware attack was first seen 12 months ago when hackers gained access to Vaastamo, a Finnish physiotherapy provider. The ransom was also directed to thousands of the victims’ clients whose records could be exfiltrated.

Healthcare organizations like this one are obvious targets for holding customer data as their own. But any business (like yours) probably carries valuable data or is connected to a third company who carries for it… Are you ready to prevent an attack like this one?

You’re probably not ready, But to be honest, most companies aren’t.

Will you wait to lament or will you seek to prevent it before it is too late?

We know you’ll make the right decision. 

And we’re here to help you with any current or future cybersecurity issue your company has.