The New Trend of Ransomware: Triple Extortion

The New Trend of Ransomware: Triple Extortion

agosto 16, 2021 | Jie Ji

Threat actors who specialize in ransomware are always using Double Extortion Tactics in which they not only encrypt the victim’s data but also threaten to leak sensitive data publicly unless the ransom is paid. Double Extortion Tactics first started appearing in late 2019, becoming an increasingly common trend through 2020.

The attack against Allied Universal (American provider of security systems and services; janitorial services; and staffing) by the Maze ransomware team in November 2019 is the first published example of a double extortion attack. The Maze ransomware team encrypted their files and system to make them inaccessible and threatened to leak sensitive data if their demands wouldn’t be met. When the victims refused to pay a ransom of 300 Bitcoin (More than $11 million at today’s rates), the Maze ransomware team published a sample of the stolen files including contracts, medical records, and encryption certificates and retaliated by a new ransom demand that was 50% higher. Since then, Double Extortion Tactics are being copied by different cybercriminal groups all over the world.

In 2021, cybercriminal groups are constantly working to innovate and make their cyberattacks more effective than ever before to ensure payment from their victims. The latest involves Triple Extortion Tactics, which can be seen as an expansion to the Double Extortion Tactics that integrating an additional threat to the process. Here’s how it works:

  • File encryption: Cybercriminal groups breach a network and encrypt valuable files and systems to make them inaccessible to their victims. Common tactics include malicious attachments or links to malicious downloads and websites in emails and chat messages purporting to be from someone the recipient knows. Victims can be regaining access to their data by pay ransom in hopes of receiving decryption keys or self-recovery by the backup system.
  • Data theft: Cybercriminal groups extract large quantities of sensitive data before encrypting them. Then they will threaten to publish or sell the sensitive data unless ransom demands are paid. The leakage of sensitive commercial information will result in critical damage to their business reputation, share price, and suffer serious costs to clients and employees. That’s why more and more victims are surrendering to criminal demands and pay the ransom.
  • Distributed denial-of-service (DDoS) attacks: The DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. There is no doubt that DDoS attacks have already become a noticeable threat across industries, especially in finance, government, health care, and online gaming. DDoS attacks also target the mission-critical applications that organizations rely on for daily maintenance  and operations, like email, database, and CRM, to name a few. As organizations have grown more dependent on Internet applications and services, business continuity and availability have become as essential as electricity. In this context, cybercriminal groups will be prone to launch DDoS attacks targeting the victims’ network or even ripple through victims’ users, clients, service providers, and more. That is designed to apply greater pressure on the victim to cough up the ransom.

As a global network and cybersecurity leader, NSFOCUS delivers DDoS mitigation solutions including the visibility, scalability, automation, and orchestration required to eliminates all DDoS attacks targeting both customers and infrastructure. Leveraging the power of NSFOCUS DDoS mitigation solutions, we provide comprehensive, multi-layered DDoS protection across physical, virtual, container, cloud, fixed, and mobile infrastructures, helping our customers take proactive steps to protect against extortion.