Ransom attacks: Double to triple extortion


Cybercriminals, extortionists, and black hat hackers are finding easier and more lucrative ways to make money. They’ve taken the already powerful model of traditional Ransomware and developed a new strain of cyber-extortion. Now, these threat actors are armed with sophisticated extortion tactics, Ransomware-as-a-Service, and new affiliated business models.


They use these tactics to exert higher levels of pressure and increase the chances of a successful payment. They are now using three levels of extortions: data encryption, data disclosure or exposure, or DDoS attacks. 



Table of Contents

  1. It Started with Ransomware.
    • When Ransomeware loses its power.
  2. Escalating the Extortion: Data Theft.
    • When Data Theft took a dark turn.
  3. Triple Extortion. Attackers go after a wider attack surface and more pressure.
    • Howdoes triple extortion work?
  4. Could you be a victim? If so, what can you do about it?
    • Recommendations.



It Started with Ransomware.

Ransomware is the first level of extortion. In a normal Ransomware scenario, cybercriminals infect a computer with Malware that encrypts portions of (or all) your data.


They use coercion to push the victim to pay a ransom for the decryption key— as they are the ones that hold the key to unlock this data. If the victim pays the ransom, then the attackers would give them the decryption key that restores their data, or they would just leave the data encrypted, in other words, useless.

When Ransomeware loses its power.

On March 7, 2021, Bose, a high-end audio manufacturing company, disclosed a double-extortion Ransomware attack. Bose refused to pay the extortionists and was able to bring back their systems with the help of their cybersecurity expertise and restore/recovery solutions. But the level of the attack is said to have gone beyond locking data, into data theft. To make sure Bose paid the ransom, the threat actor also stole employee’s sensitive data, including names, Social Security Numbers, and salaries, and threatened to disclose it.


As many would-be victims like Bose, started to have proper security awareness, Backup/Restore, or Disaster Recovery solutions to simply recover encrypted data, or they would probably never care to pay, ransomware gangs had to change strategy. As they noticed that their file encryption tactics were being mitigated or the pay ignored, they changed the extortion strategy to force victims to pay.


The ransomware gangs would use other hacking methods (outside Ransomware) to exert more pressure on the victim and do second-level extortion.

Escalating the Extortion: Data Theft.

Ransomware gangs are going beyond what Ransomware does. They are now combining advanced data breach and exfiltration hacking techniques to steal data.


It started in 2019, when a Ransomware gang called Maze, started to hack into a victim’s system and steal their data. Then, to push more pressure, they threaten direct and indirect victims to disclose the stolen data in hacker’s forums or sell it.


They realized that having the data gave them an upper hand to exert more pressure and have a wider attack surface. They could use a single data breach to target, not only a single victim (company) but third-party victims, including clients, business partners, and service providers.

When data theft took a dark turn.

In October 2020, Vastaamo, a Finnish psychotherapy clinic suffered one of the worst cases of data breaches, with second-level extortion. A security flaw in their IT infrastructure led to a massive data breach including highly sensitive data of its 400 employees and more than 40,000 patients. Even though Vastaamo paid the hefty ransom for the decryption key, the attackers went after the patients. They started to threaten the patients with disclosing their therapy session notes unless they also paid a ransom.


Double extortions like the Vastaamo case, work because it pushes victims into a corner. Nobody related to the victim would like to have their data disclosed in hacker forums or shaming sites.


Two other similar recent examples of double-extortion attacks?


  • The Colonial Pipeline Shutdown. On May 7, 2021, the Colonial Pipeline shut down its 5,550-mile gasoline pipeline, due to a Ransomware attack. Colonial Pipeline was threatened that the stolen data containing sensitive information would be disclosed on the Internet. [source: nymag.com].
  • Ransomware gang threatens DC Police Department with data leak. In late April 2021, the new Ransomware-as-a-Service operated by the Babuk Ransomware gang found a zero-day vulnerability in the DC Police Department. The threat actors locked data files and exfiltrated sensitive police data while threatening to leak the information if the ransom wasn’t paid. [Source: ThreatPost].


Triple Extortion. Attackers go after a wider attack surface and more pressure.

Ransomware gangs are never satisfied and will attempt to do whatever it takes to make a profit out of their campaigns. Now, they are bringing other types of extortions outside the Ransomware and data theft models.


They are now including other forms for exerting pressure, especially DDoS Extortion Campaigns and VoIP calls. A clear example of this is the REvil ransomware gang, a Ransomware-as-a-Service that develops Malware and “rents” it to their affiliates for a commission. According to a report from Bleepingcomputer, this same group (as of February 2021) was looking for “new affiliates” to perform DDoS attacks and use VoIP calls to threaten victims.



How does triple extortion work?

  1. VoIP calls: According to the same source, the attackers are looking to perform VoIP calls to the media and the victim’s business partners. They want to go after indirect data breach victims and spread the fear that their data is bound to be exposed. This will ensure more pressure on the victim.
  2. DDoS attacks: The threat actors will go back to the victims that didn’t pay or respond to the first or second extortion and threaten them with a DDoS attack. The DDoS threats follow a similar pattern:
    1. If they don’t pay, they would flood the victim’s network or website with a massive amount of junk traffic rendering the entire service unavailable.
    2. The triple extortion can be a new DDoS attack found today, such as Memcached reflection or amplification. Although DDoS Extortion Campaigns are not new, groups like the REvil ransomware gang are offering paid DDoS (L3 and L7) included in their services.
    3. A DDoS attack requires more resources than the normal Ransomware or data theft tactics, but if successful, it can ruin the brand’s reputation and make the company lose money.




Could you be a victim? If so, what can you do about it?

Extortionists and Ransomware gangs would use Ransomware for any target (either small or large) and use data theft and DDoS for larger targets. This is because the investment in the latter is higher, but there are more chances of making a good profit.


These groups are targeting different industries in 2021, but most commonly the financial and healthcare (biotechnology and pharmaceutical), insurance, utilities, and legal vertical markets. Ransomware criminals are after victims within these industries, like the Vastaamo psychotherapy clinic, because they have more to lose in terms of reputation than financial. The victims with more interlinked third-party (indirect) victims.


Who are the second-third extortion victims?

  • Victims for the second-triple extortion are usually the earlier victims that either never responded to the first and second ransom or never paid. If Ransomware didn’t work, the cybercriminals would try changing the extortion strategy.
  • They are also targeting victims that did pay. As they see these victims as compliant.


If you have been subject to Ransomware and fear that you might likely be a target for a second time, follow the recommendations below, and also learn more about Ransomware and how to protect yourself.


  • Patch immediately. Ransomware groups target victims with unpatched systems. Although a zero-day vulnerability could be found by one of the threat actors and exploited before a patch or hotfix is even published, it is always recommended to patch and update systems as soon as possible.


  • Security awareness and training. Originally, Ransomware spreads via Malicious spam (Malspam). This type of malicious spam aims to deliver email in bulk with a malicious link or infected files, to a massive number of potential victims. When the victim opens the link that leads to a file (or opens an attachment), a script runs in the background and infects all devices with Malware designed to encrypt files. Train people to identify spear-phishing emails, text messages, or automated voice calls.
    • For more information on how to identify fake URLs, sites, and avoid scams, learn here.
    • Additionally, you can also check Cloudbric Labs’ set of free web security resources and tools where you can check if the IP, URL, or wallet is a known phishing or malicious site.


  • Use endpoint and network protection to monitor for infections: Stopping endpoint and network infections is key to preventing Ransomware. For example, Malware such as Trickbot, Emotet, and Dridex are known to give access to Ryuk Ransomware. Or the Necrus botnet, which was used to distribute the Locky Ransomware with Spam and Malware. Use cybersecurity devices or software like Antivirus, Firewall, Web Application Firewall, or IDS/IPS to identify Ransomware infections and their variants. Additionally, these devices can also protect against data breaches.


  • Have a plan for DDoS attacks. To prevent a DDoS, you’ll need to have WAF and CDN defenses in place to filter the junk traffic sent by the threat actors. An example of an advanced WAF is Cloudbric’s AI deep learning WAF+ which is capable of taking all traffic in and recognizing web attack patterns. With a WAF behind a CDN, large-scale suspicious DDoS traffic loses power and is entirely filtered by the intelligent WAF.