Double extortion is a technique employed by some ransomware organizations.
Normal ransomware encrypts the victim’s data and demands payment in exchange for a decryption tool
Double extortion encrypts the victim’s data and demands ransom payment, but it also demands payment to keep a copy of the victim’s data before encrypting it and to keep that data from being published online.
The first group of attackers to use double extortion is said to be “Maze”.
In November 2019, an email was received from Maze indicating that a security staffing firm had been breached.
The email said that it had downloaded data from the victim’s network and that it would start publishing that stolen information unless the company agreed to pay the ransom demanded.
One day before the deadline, Maze posted on the Bleeping Computer message board about the successful network intrusion and a link to a 7-zip archive. It claimed that the contents included about 700MB of leaked files, including contracts, medical records, encryption certificates and other files stolen from the company.
After this attack, the person who developed the LockBit Ransomware-as-a-Service (RaaS) platform published a data dump of the architecture company on the Maze News website in early June at the request of Maze.
This Maze activity is said to have made double extortion a widespread ransomware threat.
Double extortion activity continues to increase, with 15 different ransomware organizations threatening to steal and exfiltrate data from victims by the end of 2020.
Ransomware attackers use double extortion to force organizations to pay a ransom even if the company is able to recover the information using data backups. In such “Ransomware 2.0” attacks, in addition to the possibility of data loss, there is also the fear of data leakage.
But as is the case with all ransomware infections, organizations can’t guarantee that attackers will keep their promises, even if they agree to pay the ransom to avoid a data breach. Ransomware researchers have found that at least five ransomware groups reneged on their promises in the third quarter of 2020.
For example, there are documented cases of “Sodinokibi” re-threatening victims with the same data just weeks after the ransom was paid. In other cases, groups such as Netwalker and Mespinoza have posted the same data of victims who paid the ransom.