Double Extortion Ransomware
Malware ProtectionDefinition
Attacks combining data encryption with threats to leak stolen sensitive information unless paid.
Technical Details
Double extortion ransomware is a sophisticated form of ransomware attack that not only encrypts the victim's data but also exfiltrates sensitive information. In this attack, the cybercriminals first gain access to the victim's network, usually through phishing, exploiting vulnerabilities, or using stolen credentials. Once inside, they will encrypt the files, making them inaccessible to the victim. Concurrently, they will also steal sensitive data, which is stored on their servers. The attackers then demand a ransom for both decryption of the files and to prevent the public release of the stolen data. This dual threat increases the pressure on victims to pay the ransom, as the consequences of data leakage can be severe, including regulatory penalties and reputational damage.
Practical Usage
In the real world, double extortion ransomware attacks are often executed by organized cybercriminal groups targeting businesses, healthcare institutions, and governmental organizations. These attackers may use ransomware-as-a-service (RaaS) platforms to facilitate their attacks, allowing less technical criminals to engage in double extortion schemes. The practical steps for organizations to defend against such attacks include implementing robust cybersecurity measures such as regular data backups, employee training on phishing detection, network segmentation, and employing advanced threat detection systems. Organizations are also encouraged to develop incident response plans that include communication strategies for managing the fallout of a potential data breach.
Examples
- In 2020, the Maze ransomware group was one of the first to adopt the double extortion technique, successfully attacking multiple organizations and leaking sensitive data when victims refused to pay the ransom.
- The REvil ransomware group targeted JBS USA in 2021, demanding a ransom for both decrypting their operational data and for not releasing stolen customer and employee information.
- The NetWalker group attacked the University of California San Francisco (UCSF) in 2020, encrypting files related to COVID-19 research and threatening to leak sensitive data unless the ransom was paid.