Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion

To stay safer, restrict access to data, monitor for breaches in the supply chain, track relevant data that is sold on the Dark Web, and implement best safety practices.

Rob Jenks, Senior Vice President, Corporate Strategy, Tanium

December 23, 2022

5 Min Read
Crime scene tape over a laptop
Source: Andreas Prott and Alamy Stock Photo

The danger of being hit by a ransomware attack is scary enough, but in many cases, criminals can still extort your business after the ransom has been paid and things have seemingly returned to normal. Double and even triple extortions are becoming increasingly common, with ransomware gangs now demanding additional payments to keep the private information captured in their attacks from being leaked. These added threats are driving up the collective cost of ransomware, which is forecast to reach $265 billion by 2031, according to some sources.

In traditional ransomware attacks, the attackers hijack and encrypt valuable data to force organizations to pay a ransom in exchange for the safe restoration of data and network functionality. CISOs have responded by adopting stronger cyber protections, such as creating secure offsite backups and segmenting their networks, and attackers have quickly evolved to subvert these methods. 

One Extortion, Two Extortion, Three

The cat-and-mouse game that is ransomware took an ugly turn over the past year or so as attackers realized the value that organizations put on not releasing their sensitive information publicly: The brand and reputation hit can sometimes be just as damaging as being locked out of files and systems. Capitalizing on this unfortunate reality, attackers began adding the threat of leaking sensitive data as a follow-up to successful or even unsuccessful ransomware attacks when organizations were able use backups to restore their systems.  

With double extortion being so successful, attackers figured: Why stop there? In cases of triple extortion, attackers threaten to release data about downstream partners and customers to extract additional ransom payments, potentially putting the initial organization at risk of lawsuits or fines.  

Some bad actors have even created a search function that allows victims to find leaked data about partners and clients as proof of the data's damaging value. A ransomware operation known as ALPHV/BlackCat may have started this trend in June, when cybercriminals posted a searchable database containing the data of nonpaying victims. The BlackCat gang went as far as to index the data repositories and give tips on how to best search for information, as if it was providing customer service. These kinds of leaks not only raise ransom costs for victims, but they send a clear message to those who think they are clever enough to avoid paying the ransom.

Guarding Against Multiple Extortion Attempts

For CISOs who want to become more proactive in safeguarding their organizations against such extortion events, the first step is monitoring for breaches within their supply chains and corporate relationships, while tracking relevant data that is sold on the Dark Web or released in breach dumps. 

Regular backup practices provide a strong initial defense against a standard ransomware attack, but backups alone are no longer enough. Because criminals have recognized that backups are a standard option to avoid payment, they will seek to corrupt the backups, in addition to threatening future leaks. This growing problem has created a need for offline backups and out-of-band incident communications: Any system connected during an incident — such as email — should no longer be trusted.  

The trouble with double or triple extortion attempts is that even if the initial pay-for-decryption ploy is unsuccessful (because an organization was able to use backups), the attackers may still gain access to sensitive data and threaten to leak it. These attacks highlight the need to prioritize the protection of the most critical data. 

Best Practice Defenses

The only true defense against double and triple extortion is ensuring that attackers don't get access to the most-sensitive information.  

The top priority should be to categorize critical data so that when malicious actors do get past the first lines of defense, they can't steal the most valuable items in the vault. This oversight process involves restricting who has access to data and what tools directly interact with it. The fewer access points, the easier it is to secure the data.  

Some other best practices include:  

  • Understanding where your data lives and adopting solutions with near-real-time alerts that show when sensitive data is saved, transferred, or stored insecurely. When you focus your efforts to protect your most-critical information, you help limit alert fatigue and keep a closer watch on exactly who and what interacts with that data.

  • Staying on top of the dynamic risks associated with new devices entering your network when employees get onboarded or when devices associated with former employees should have access or credentials removed.

  • Establishing a baseline understanding of "normal behavior" in your environment so you have a better sense when something untoward is afoot.

Recommended Post-Breach Behavior

If you still experience a breach, make sure you limit attackers' chances of accessing private data by:  

  • Vigilantly changing used passwords that may be associated with compromised systems. 

  • Verifying that breach information comes from a legitimate source, as compromised emails may seem official when they are, in fact, fraudulent.

  • Ensuring recovery efforts go beyond "wipe and reimage" to include thorough checks that find residual signs of compromise.

  • Identifying the initial access points that were breached to avoid reintroducing the attack vector during recovery efforts.

The crippling effects of a ransomware attack can be devastating for any business. But now the stakes are much higher due to the expanded attack surface that threatens a company's extended ecosystem of partners, customers, and investors. As a result, all organizations need to develop a game plan to defend their data and protect themselves not only from the initial ransomware attacks, but from double and triple ransomware ploys as well.

About the Author(s)

Rob Jenks

Senior Vice President, Corporate Strategy, Tanium

As Senior Vice President of Corporate Strategy, Rob Jenks leads Tanium's business development and ecosystem efforts. Rob is focused on advancing business-critical relationships across technology alliances and channel partners, driving new ways Tanium’s real-time, accurate data can be leveraged, and identifying new market opportunities.

Prior to joining Tanium, Rob served as Vice President of Strategy and Alliances at and led the Low Carbon Economics service line at McKinsey & Company within the Energy Practice.

Rob has served on advisory boards for early-stage fintech and edtech software startups. Rob received a Ph.D. in Physics from Harvard University, an M.Phil. in the History of Science from Cambridge University, and a BA in Physics from Williams College.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights