Skip to main content

Double trouble: the rising threat of double-extortion ransomware

Chris Huggett at Sungard Availability Services warns that with double extortion ransomware crime is getting even more dangerous

Ransomware attackers continue to threaten businesses at an increasing scale, speed and sophistication. As the world slowed down during the Covid-19 pandemic, opportunistic criminals took advantage, with thirty-seven percent of UK companies reporting a data breach incident to the Information Commissioner’s Office (ICO) in the last twelve months.

Businesses have tried to counter these attacks, adopting new processes and security solutions, but like any war, this has been met with significant retaliation. Attackers are evolving their strategies and techniques, making it harder for businesses to keep control of their assets. Even the motivations of the cyber criminals are changing, moving on from holding organisations to ransom for financial gain to causing as much disruption as possible.

Ransomware attacks on the Colonial Pipeline in the US earlier this year forced the private company to pay an estimated $5 million in Bitcoin to regain control and continue services. Ireland’s Health Service Executive was put under pressure to deliver a ransom fee of $20 million in order to save their patients personal data going public. Even after an agreement was made, 520 records still made their way onto the dark web. 

Rather than just encrypting data and holding the owner to ransom, attackers have adopted a new trend; double extortion ransomware. It involves an attacker exfiltrating the data first, rendering standardised data backups and data recovery plans obsolete. Criminals have found another avenue for extortion, so how can organisations overcome this new threat? 

Does double-extortion mean double the threat?

The double-extortion ransomware technique allows criminals to combine their previous ways of working, demanding a ransom fee for the assets they have stolen and using the threat of releasing the data publicly as blackmail. If the ransom is not paid in the timeframe, cyber criminals publish the business information for all to see, including customer, competitors and employees.

They adopt a public “name-and-shame” campaign, with the hope of spurring enough panic in the business to forces their hand in paying up. According to recent Emisoft research, the number of cybercriminals adopting the “name-and-shame” tactic is growing. The research found that out of 100,101 received reports of ransomware attacks on both businesses and public sector bodies, 11.6 percent of those were by groups that steal and publish data in “name-and-shame” style attacks.

There is also a growth in crimeware-as-a-service by nation-state actors, which are increasingly adding to geopolitical tensions. Nation-states are buying tools and services from the dark web, while tools developed by nation-states are also making their way onto the black market.

How can organisations overcome this threat?

Organisations can overcome this growing threat by building a data recovery plan that works.

When it comes to extorting a ransom, attackers first need to make sure any data they leave behind is of no use or benefit to the company they are stealing from, otherwise they run their demands not being met. So, to overcome this they disable or destroy backups, making it near on impossible to recover any valuable data.

Once this backed up, recovery data is compromised businesses struggle to get back on their feet. By developing a dedicated compromised data risk management plan, businesses are able to improve their odds and make recovering compromised data far more likely compared with if they were to use a standardised data recovery process. Ransomware demands have never been higher and readying an organisation requires rethinking existing data recovery plans.

To address these recurring challenges, organisations need to plan for the five most critical steps to recovering damaged data:

  • Identify ― Identifying and justifying the organisation’s Vital Data Assets (VDA). This is the data that requires an additional level of protection. It’s the businesses must-have data.
  • Protect — Capabilities to improve the odds that you will have current clean data to restore, for example a failsafe copy that is safe from a cyberattack.
  • Detect ― Identifying vulnerabilities of weaknesses in your controls that can increase the organisation’s risk of access to its VDA’s.
  • Respond — The plans, the processes, the procedures to be followed in the aftermath of a successful data compromising event.
  • Recover ―The rehearsals, tests, and exercises that prepare the teams for this eventuality.

Now is the time for organisations to double their security efforts

In today’s digital environment, no organisations, businesses, institutions or individuals are safe from the threat of ransomware attacks. But the odds against them can be significantly improved.

Using pre-existing detection and prevention tools is one step to fighting back, but putting a full proof plan in place to prepare for the eventuality of an attack and the steps that will be needed to recover afterwards will be key to overcome the new tactics being used. On top of outside threat actors, every organisation is susceptible to internal threats such as a disgruntled employee with privileged access to the network.

In spite of awareness training, human error is still a risk and network access is only one accidental embedded link click away.

Ultimately, it’s up to each organisation to look at the big picture, based on their unique points of view and the perspectives that inform it. The threat of a ransomware attack is significant, but one that is capable of destroying brand reputation and customer trust could be even more business critical.

Before a successful double-extortion ransomware attack forces an organisation to act, they should have briefed the entire business, worked closely with executive management on which data is the priority and set out plans for a successful recovery mission. Only then can businesses be prepared enough to ensure they have time to act before a ransomware attack takes complete control.

Chris Huggett is SVP of EMEA at Sungard Availability Services

Main image courtesy of


All rights reserved Teiss Recruitment Ltd.