The rise of double extortion ransomware

Red computer screen with "RANSOM!" on it
(Image credit: Shutterstock)

Back in November 2019, the Maze ransomware strain emerged as the first high-profile case of double extortion ransomware. The gang – famed for its attacks on Cognizant, Canon, and Xerox in recent years – hit Allied Universal, a California-based security services firm, which refused to pay the group’s ransom demand of 300 Bitcoins (approximately $2.3 million at the time).

This saw the Maze hackers increase the ransom request by 50%, publish 10% of the information they exfiltrated, and threaten to use data stolen from Allied Universal in a spam operation. The now-defunct ransomware group gave Allied Universal two weeks to pay up or have the remaining 90% of their stolen data exposed online.

The use of double extortion ransomware picked up from there. For its part, Maze helped some groups experiment with the tactic through its cartel, while other ransomware collectives created data leak sites on their own to put pressure on attack victims that are reluctant to pay up.

What is double extortion ransomware?

Double extortion, also known as “pay-now-or-get-breached” or “name-and-shame”, is an increasingly popular tactic among cyber criminals in which they exfiltrate a victim’s sensitive data in addition to encrypting it. This means that if the ransom isn't paid in time, the criminals will publish it for all to see, including possible industry competitors, giving the hackers additional leverage to collect ransom payments.

According to research from CipherTrace, double extortion ransomware attacks increased by almost 500% in 2021, with the number of attacks rising nearly 200% quarter over quarter. This surge in popularity can be credited to the fact this technique enables financially motivated hackers to crank up the heat and pressure organisations into paying extortionate fees to regain access to their data, according to Tracy Cunningham, a security expert at Check Point Software.

“This method adds pressure, with cyber extortionists threatening to publish victims' data; affected organisations face the risk of having sensitive data exposed in the open. Not only does proprietary information – such as intellectual property – run the risk of being leaked, many of these organisations likely also hold the data related to their clients or users,” she tells IT Pro. “Exposing such information also constitutes a violation of privacy laws and subject victims to financial penalties imposed by regulatory bodies, such as GDPR.”

This added pressure means, ultimately, threat actors see a higher success rate versus traditional attack methods.

“Ransomware actors are turning to double extortion attacks because it increases their likelihood of getting paid,” Matthew Stephen, chief architect at Mitiga, tells IT Pro. “In the past, many companies could rely on backups to get back to business quickly if they were attacked. Today, attackers not only encrypt the data but also exfiltrate it. Even if an organisation has good backups available, the threat of leaking the data motivates many companies to pay the ransom to protect customer data and other sensitive information.”

What are the risks of double extortion ransomware?

Being hit by double extortion ransomware is bad news for businesses of all shapes and sizes, but the leak of sensitive data and potential financial penalties aren’t the only consequences. As Claire Tills, senior research engineer at Tenable tells IT Pro, hackers – such as the LAPSUS$ group – often turn to this technique in a bid to throw more of a spotlight onto the incident.

“Double extortion represents considerable knock-on effects,” Tills says. “The double extortion tactic is often used to bring outside attention and pressure to an incident. While an organisation is attempting to get backups online and restore services, it will also have to field reputational and customer service incidents. Threat actors are banking on those pressures coercing organisations to pay.”


The state of brand protection 2021

A new front opens up in the war for brand safety


Reputational damage is another potential consequence of becoming a victim of a double extortion ransomware attack, both as a result of the exposure of sensitive information on a name-and-shame leak site and as a result of regulatory fines if it’s revealed that the business failed to properly safeguard customer data.

Jen Ellis, vice president of Community and Public Affairs at Rapid7, tells IT Pro: “For example, if stolen data reveals a lack of appropriate privacy controls, leaking the data could create significant reputational impact and loss of trust, and could also result in regulatory action or legal liability. As such, victims of attack may be more likely to pay to avoid leaks, when they may have refused to pay for being locked out of their systems. If possible, though, an attacker will push for a payment for both.”

Guido Grillenmeier, chief technologist at Semperis, adds: “Likewise if a business's infrastructure is completely encrypted, most struggle to get back on their feet quickly – this usually has a direct impact on customer satisfaction. Those businesses who are not well prepared to quickly recover their environment from scratch will struggle with the choice to pay a ransom for the decryption key that may promise faster return to business.”

How to protect against double extortion ransomware

Unfortunately, there's no special magic bullet defence to protect against double extortion ransomware. This means that, in order to tackle double extortion attacks, organisations need to ensure they are equipped with the knowledge of the latest techniques used by cyber criminals.

“With over 95% of attacks via email, organisations need to continually ensure that employees are educated in the risks of phishing attacks and online scams,” Camilla Currin, channel manager at Trend Micro, tells IT Pro. “The flexibility of work-from-home (WFH) continues to be a real challenge with the use of home devices and networks with varying degrees of security. WFH best practices need to be in line with company policies to minimise the risks that come with remote working setups.

“From an overall organisation’s security perspective, performing regular vulnerability assessments, conducting patching or virtual patching on operating systems and applications as well as updating software and applications to the latest versions are a few ways in which organisations can protect themselves."

This advice is echoed by Cunningham, who says businesses need to ensure they have robust security protocols in place across the entire organisation.

“To protect themselves, IT teams should be vigilant for any signs of a Trojan on their networks, regularly update their antivirus software, proactively patch relevant remote desktop protocol (RDP) vulnerabilities and utilise two-factor authentication (2FA) to protect their RDP servers. In addition, organisations should also deploy dedicated anti-ransomware solutions that constantly monitor for ransomware-specific behaviours and identify illegitimate file encryption, so that an infection can be prevented and quarantined before it takes hold.

“With these protections in place, organisations can be better prepared for when they are attacked as in today’s climate it is a matter of when not if.”

Carly Page

Carly Page is a freelance technology journalist, editor and copywriter specialising in cyber security, B2B, and consumer technology. She has more than a decade of experience in the industry and has written for a range of publications including Forbes, IT Pro, the Metro, TechRadar, TechCrunch, TES, and WIRED, as well as offering copywriting and consultancy services. 

Prior to entering the weird and wonderful world of freelance journalism, Carly served as editor of tech tabloid The INQUIRER from 2012 and 2019. She is also a graduate of the University of Lincoln, where she earned a degree in journalism.

You can check out Carly's ramblings (and her dog) on Twitter, or email her at