Double Extortion Ransomware - Encrypt and Leak
About 2 min read
Double extortion is a technique used in ransomware attacks in which, on top of encrypting data, attackers threaten to publish stolen data to demand a ransom. The Maze ransomware group first carried it out systematically at the end of 2019, and it has since become a standard tactic in ransomware attacks. Under the conventional "encrypt and sell the decryption key" model, the attacker's revenue drops to zero once the victim restores from a backup, so by adding data publication as a second axis of extortion, this technique dramatically increases the pressure to pay the ransom.
The Double Extortion Attack Flow
It is worth noting that data theft is completed before encryption. Attackers lurk inside the network for days to weeks, identify high-value data, and exfiltrate it before executing encryption. In other words, by the time encryption is detected, the data breach has already been completed.
The Evolution of Extortion That Began with Maze
In November 2019, the Maze group published part of the data stolen from the U.S. security company Allied Universal and pressed for payment of a ransom. This was the first large-scale case of double extortion. Maze established a model in which it set up a dedicated leak site (data leak site) and gradually published the data of victims who refused to negotiate.
Seeing the "success" of this technique, other groups imitated it one after another, and since 2020 nearly all major ransomware groups, including REvil, Conti, LockBit, and BlackCat (ALPHV), have adopted double extortion as a standard tactic.
The Evolution into Triple Extortion
"Triple extortion," a further development of double extortion, has also been observed.
Encrypting data. The attacker demands a ransom in exchange for the decryption key. This is the basic technique of conventional ransomware.
Publishing the stolen data. The attacker dangles the threat of gradual disclosure on a leak site or of reporting to the media or regulators.
Directly contacting the victim's business partners and customers, or combining the attack with a DDoS attack. This pressures the victim's business continuity from multiple directions.
Why Backups Alone Are Not Enough
In conventional ransomware defense, the accepted wisdom was that "you can recover as long as you have regular backups." With double extortion, however, the threat of a data breach does not disappear even after you restore from a backup. The attacker already holds a copy of the data and threatens to publish it unless the ransom is paid.
| Measure | Effect on encryption | Effect on data leakage |
|---|---|---|
| Offline backup | Effective (recovery possible) | Ineffective (cannot prevent leakage) |
| Network isolation | Limits the scope of damage | Suppresses lateral movement and reduces the amount stolen |
| Encryption of stored data | No effect | Hard to decipher even if stolen |
| DLP (data loss prevention) | No effect | Detects and blocks bulk data transfers to the outside |
| Zero trust | Suppresses lateral movement | Limits accessible data through least privilege |
The Reality of Data Leak Sites
Attack groups operate leak sites on the Tor network and gradually publish the data of victims who refuse to negotiate. They first post the company name and part of the stolen data (screenshots or file lists), and use a countdown timer to display the deadline until all the data is published. This is both psychological pressure on the victim and a way of "making an example" for other potential victims. The published data can be downloaded by anyone, including competitors, criminals, and state agencies, expanding the secondary damage of a data breach.
A Comprehensive Defense Approach
Identify and classify confidential data and enforce encryption at rest. Even if data is stolen, the attacker cannot read its contents if it is encrypted, so it cannot be used as leverage for extortion.
Detect abnormal communication patterns in which large volumes of data are transferred outside. Monitor the volume of outbound transfers with SIEM or network DLP and raise an alert when a threshold is exceeded.
Verify every access, even from inside the network. This makes lateral movement difficult even if an attacker breaks in, and keeps the scope of accessible data to a minimum.
The defense against double extortion is fundamentally a layered defense that combines encryption of stored data with zero trust. Please also refer to ransomware defense, data breach response, and introduction to backups.ransomware defense books on Amazon are recommended for learning the latest defense strategies.
Was this article helpful?