Ransomware and Double Extortion

As technology advances, so do the methods used by cybercriminals to exploit it. In 2019, the Maze cyber attacker group infiltrated integrated security services firm Allied Universal with malware. At first, it seemed like a standard ransomware attack—albeit one with an approximately $2.3 million payment demand. But when Allied Universal refused to pay up, the cybercriminals responded by publishing a selection of stolen data online, upping the ransom by 50%, and threatening to publish the rest of it if the ransom wasn’t paid. It was the first known high-profile incident of something called “double extortion.” While ransomware and double extortion are similar, double extortion takes it one step further than ransomware and raises the stakes for victims—particularly for those who are governed by strict compliance requirements. Let’s examine both types of attacks and what you can do to protect yourself and your data.

Ransomware vs Cyber extortion

Ransomware: Encrypting Data for Ransom

Ransomware is malware that encrypts a victim's data or denies access to their systems and then demands payment in exchange for regaining access.The victim loses access to their data or systems until they pay the ransom—usually using some kind of cryptocurrency because it’s difficult to trace. It’s a digital hostage situation. The attacker holds your data hostage and agrees to release it safely to you if you pay the ransom.

Double Extortion: Raising the Stakes with Data Exposure

Double extortion is a tactic that takes ransomware to the next level. After gaining access to an organization’s systems, the attackers will execute a traditional ransomware attack by encrypting data so it is inaccessible and demanding a ransom.

However, during a double extortion attack, the attacker will also steal, or exfiltrate, data. Then, they’ll threaten to post the data publicly unless the victim pays an additional ransom.

Attackers use double extortion for a variety of reasons, but one of the main ones is that attackers have gotten wise to the fact that at least some organizations have the ability to restore encrypted data with enough speed that they don’t need to pay the ransom. For many companies, the threat of public exposure convinces them to pay the ransom even if they have another method of retrieving their encrypted data. Having stolen data released to the public could have legal and reputational implications for almost any organization. But certain industries, such as banking, healthcare, government, and any organization that deals with sensitive data and compliance regulations to protect customer (or patient) data could face even steeper legal and reputational consequences if their stolen data was released to the public.

Why? Extort money from the victim Extort money from the victim
What? Malware that encrypts files or systems Stolen data
Impact Can cause significant damage to the victim's files or system; Downtime; Loss of productivity; Damage to reputation; Financial loss Can result in increased damage to reputation; Legal and regulatory consequences; Financial loss

How to protect yourself from ransomware and double extortion

Protecting yourself from ransomware and double extortion requires a combination of preventive measures and a response plan in case an attack does occur. Here are some measures you can take to protect your organization:

  • Security: Keep your software up to date, use antivirus software, and implement strong passwords and multi-factor authorization to help prevent phishing attacks that can install malware on your system.

  • Education: Learn to recognize phishing and other social engineering attacks. Be cautious when opening attachments or clicking on links from unknown senders.

  • Backup: Regularly back up your data and keep a copy in a secure location offline.

  • Planning: Create a response plan that outlines the steps you will take in case of ransomware and/or a double extortion attack.

Rubrik provides comprehensive solutions to help you recover from these types of attacks. Our immutable backups cannot be changed, encrypted, or deleted by anyone, including cybercriminals attempting a ransomware attack. Additionally, Rubrik automates backups, ensuring you always have an up-to-date copy of your data for quick recovery in case of an attack. 

We secure data wherever it lives—across enterprise, on-prem, cloud, and SaaS environments.. If an attack does occur, our rapid investigation and recovery capabilities allow you to quickly identify the blast radius and restore your data from any point in time, minimizing downtime and protecting both your bottom line and your reputation. And, through our recently announced partnership with Zscaler, we are building support for our customers to identify and stop sensitive data exfiltration.

Ransomware and double extortion attacks share some similarities, but also some key differences. Find out more about how you can protect yourself against both kinds of attacks at Rubrik.com.

SAFE HARBOR STATEMENT: Any unreleased services or features referenced in this document are not currently available and may not be made generally available on time or at all, as may be determined in our sole discretion. Any such referenced services or features do not represent promises to deliver, commitments, or obligations of Rubrik, Inc. and may not be incorporated into any contract. Customers should make their purchase decisions based upon services and features that are currently generally available.