What is Double Extortion Ransomware?

How Does It Work?

Good data backups can defeat traditional ransomware. If an organization has another copy of its data, it does not need to pay for a decryption key to restore it.

Double extortion ransomware overcomes this challenge by combining data theft with data encryption. By stealing data and threatening to leak it if a ransom isn’t paid, the ransomware operator can successfully extort ransoms even if an organization has backups and could otherwise recover without payment.

Potential Risks and Impacts

A successful ransomware infection can be extremely damaging to an organization. Some of the most common impacts include the following:

• Financial Losses: Double extortion ransomware carries various potential costs to the business. In addition to the cost of remediating the incident, the company may lose sales during the attack and may need to pay legal and regulatory penalties.
• Reputational Damage: A successful ransomware attack may cause harm to an organization’s reputation and brand. The failure to protect customer data and the potential for interrupted services due to the attack may cause customer churn or force the company to pay restitution to affected customers.
• Data Loss: Some forms of double extortion ransomware encrypt data as well as steal it. Even if an organization pays the ransom or has backups, not all data may be recovered.
• Regulatory Penalties: A ransomware group stealing sensitive data is a reportable data breach. An organization may be liable to pay regulatory penalties as a result.

How to Prevent Double Extortion Ransomware Attacks

Some cybersecurity best practices to protect the organization against ransomware attacks include the following:

• Cybersecurity Awareness Training: Many ransomware variants use social engineering attacks, such as phishing, to gain access to an organization’s network. Training employees to identify these threats and respond appropriately reduces the risk of an incident.
• Data Backups: While double-extortion ransomware incorporates data theft, it also can encrypt valuable data. Data backups enable an organization to restore its data without needing to encrypt it.
• Patching: Some ransomware variants exploit software vulnerabilities to access and infect computers. Promptly applying patches and updates can help to close these security gaps before they can be exploited.
• Strong User Authentication: RDP and other remote access protocols are commonly used to infect corporate systems with ransomware. Deploying strong authentication — including multi-factor authentication (MFA) — can help prevent attackers from using compromised credentials to distribute malware.
• Network Segmentation: Ransomware groups will often need to move laterally through an organization’s network from the point of initial infection to high-value systems. Network segmentation — which breaks the network into isolated sections — can aid in detecting and preventing this lateral movement.
• Anti-Ransomware Solutions: Ransomware’s file encryption creates a distinctive activity pattern on a computer, and many variants have known signatures. Anti-ransomware solutions can identify and block or remediate ransomware infections before they cause significant harm to the business.
• Threat Intelligence: Knowledge of the latest ransomware attack campaigns is invaluable for protecting against them. Integrating threat intelligence feeds with cybersecurity solutions enables them to more accurately identify and block ransomware attacks.