Understanding Double Extortion Ransomware: Prevention and Response

Ransomware is currently one of the most common – and costly – threats facing businesses of all sizes and across all sectors. For example, one study by Thales revealed there was a 27 percent increase in these attacks last year. Yet despite this, it noted less than half of businesses have a specific plan in place for how to deal with such an incident.

Traditionally, ransomware works by encrypting files or entire systems, shutting down a firm’s operations unless it paid for the decryption key. But in the majority of today’s attacks, this is no longer the case.

The biggest cybersecurity risk now comes from ‘double extortion’ ransomware. This variant has been around for a while, but it has become a much bigger threat in the last few years as cybercriminals look for new ways to squeeze money out of their victims.

So what does this involve, why is it such a big threat, and how can firms counter it?

While traditional ransomware is based around encrypting data, double extortion ransomware also seeks to exfiltrate information from the business and send it back to cybercriminals. This stolen data can then be used as extra pressure when demanding a ransom, as in addition to being stuck with unusable systems if they do not pay up, businesses also face the threat of having their most sensitive and confidential assets exposed publicly or revealed to competitors.

BlackFog’s figures indicate that data exfiltration is a factor in the vast majority of ransomware incidents. In the first half of 2024, we found that 93 percent of ransomware attacks exfiltrate data, making it by far the biggest malware threat currently facing enterprises.

Double extortion ransomware is popular among cybercriminals because it works. Many businesses may feel they have no choice but to pay up – even if they would otherwise be able to recover encrypted data – because of the consequences they may otherwise face.

Indeed, BlackFog found that 43 percent of data exfiltration victims paid a ransom in the second quarter of 2024 – up from 36 percent for the previous three-month period. The amount handed over to prevent data exposure has also increased, with the average ransom payout reaching $391,015.

Double extortion ransomware enters a business like any other form of malware, with tactics including social engineering, drive-by malware and more advanced fileless attacks that seek to exploit vulnerabilities in software. However, once inside the perimeter, there are a few key differences in how it operates.

Like other types of ransomware, attackers will move laterally within a network seeking out critical data. However, as well as encrypting it, they will also make copies and exfiltrate them back to their command and control servers. They may take advantage of any available endpoint to do this, including PCs, laptops or employee-owned mobile devices.

Common types of data ransomware groups will look to exfiltrate include:

• Financial details such as credit card numbers
• Personally identifiable information including names, contact information and Social Security numbers
• Confidential internal discussions related to current or future business plans
• Research and development data
• Intellectual property and trade secrets
• Highly sensitive information such as healthcare data
• Customer account login credentials
• Anything that might be highly embarrassing to a business

This can often end up being significant quantities of information. BlackFog’s research notes that the average volume of exfiltrated data is 589GB, but in large-scale attacks this can easily reach into terabytes of data and billions of individual records.

When sending a ransom, cybercriminals may often release a small portion of their stolen data on the dark web to prove they have possession of it. This alone can be highly damaging as it announces that the business has been compromised – but it may be nothing compared to the full publication of sensitive data.

The impact of double extortion ransomware on businesses can be wide-ranging. As well as the blow to the reputation of a company if it becomes public knowledge that it has failed to protect customer data, this can leave it exposed to action from regulators. If local data protection authorities determine the breach was the result of carelessness or negligence, it can leave the company facing multi-million dollar fines. 

Common expenses that businesses can expect to see as a result of double extortion ransomware include:

• Direct ransom payments
• Lost business due to downtime
• Loss of customers due to reputational damage
• External consultants for mitigation and investigation
• New technology to harden systems against future attacks
• Regulatory fines
• Class action lawsuit expenses
• Higher cyberinsurance premiums

Individuals may also face severe consequences. For example, the exposure of healthcare records can be very harmful and embarrassing. This is one reason why organizations in this sector are particularly tempting targets for ransomware groups. Indeed, the payment of a $22 million ransom by Change Healthcare in March is reported to have fueled a wave of attacks targeting these firms in recent months. BlackFog’s data shows healthcare-focused attacks have increased by 40 percent compared with 2023.

Elsewhere, exposure of individual login details and financial information can be hugely useful to fraudsters – especially if customers have reused passwords across multiple sites. As a result, ransomware victims may also find themselves needing to pay for credit monitoring services or direct compensation for any customers impacted in an attack.

Double extortion tactics evolved from earlier types of ransomware attack in response to companies improving their plans for dealing with crypto or locker ransomware. In these cases, well-prepared organizations could often minimize disruption with a comprehensive backup and recovery plan. 

While it would usually take some time to get back up and running, having access to these resources meant there was little incentive to pay a ransom, so these attacks became less profitable.

Double extortion ransomware was therefore created by cybercriminals in order to increase the pressure on businesses and raise the chances they will pay. The risk of sensitive data being released is a powerful incentive for firms to hand over money in order to avoid what might be serious reputational damage or data exposure that leaves them at a competitive disadvantage.

The tactics cybercriminals use to gain access to data are also evolving. For instance, many groups have recognized that most businesses have antimalware solutions that use signature matching to detect known threats as soon as they enter a network. Therefore, sophisticated cybercriminals are increasingly turning to fileless attacks using legitimate tools such as PowerShell. These methods do not leave a telltale signature and can therefore evade these defenses.

Once data is in the hands of criminals, the damage is done. Therefore, the best defense against this type of attack is to focus on ransomware prevention. This means being able to spot, identify and contain attacks before they have a chance to find and exfiltrate data. To do this, it’s important to take a defense in depth approach that includes layers of protection.

Some of the crucial technologies for achieving this include:

• Firewalls
• Antimalware tools
• Email security
• Access controls
• Data encryption
• System monitoring software
• Endpoint detection and response tools

In addition to these, one essential technology that is specifically designed to deal with the threat of double extortion ransomware is anti data exfiltration (ADX). These solutions can be added to any endpoint within a network – including mobile devices – and monitor any traffic leaving the network looking for suspicious activity.

By using AI to build up a picture of what normal behavior looks like, this can quickly identify any anomalous activity while reducing the risks of disruptive false positives. It can then automatically step in without the need for human intervention to block any data exfiltration attempts. This ensures that, even if other parts of a cybersecurity strategy have failed to spot an attack, the key aspect of double extortion ransomware  – data theft – can be prevented.

If all these measures fail and firms do find themselves facing a data breach and a  ransomware demand, there should still be a response and recovery plan in place. As is the case with any security incident, this must begin by ensuring all infected systems are isolated so that the damage is contained as much as possible, before turning to backup and recovery plans in order to retrieve any encrypted data.

When it comes to double extortion ransomware, the most important question will be whether or not to pay. In cases where businesses are being threatened with the public exposure of confidential data, it can be highly tempting to give in so this can be prevented. However, in practice, there are several reasons why this is often a bad idea. These include:

• There’s no guarantee criminals will keep their word and delete any data they possess
• Firms may not be able to recover all encrypted information
• It will likely make them a target for repeated attacks in the future
• A payment could be illegal depending on laws relating to funding criminal activity

Therefore, while it may be more painful in the short term to resist any demand, it is likely to be a far better approach in the long run.

Ultimately, if the data is already in the hands of criminals, there will only be so much firms can do. Therefore, the best defense against double extortion ransomware will be steps to prevent data leaving the network in the first place. Data security tools such as effective monitoring, access controls, encryption and ADX all have a part to play in this, as well as strong employee education on potential threats.

Becoming the target of a ransomware attack is increasingly a case of when, rather than if, but if firms are well-prepared, have the right technology in place and have a clear plan for what to do in the event of an attack, they can ensure that any incidents are spotted early and dealt with before any data is compromised.