Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion

The danger of being hit by a ransomware attack is scary enough, but in many cases, criminals can still extort your business after the ransom has been paid and things have seemingly returned to normal. Double and even triple extortions are becoming increasingly common, with ransomware gangs now demanding additional payments to keep the private information captured in their attacks from being leaked. These added threats are driving up the collective cost of ransomware, which is forecast to reach $265 billion by 2031, according to some sources.

In traditional ransomware attacks, the attackers hijack and encrypt valuable data to force organizations to pay a ransom in exchange for the safe restoration of data and network functionality. CISOs have responded by adopting stronger cyber protections, such as creating secure offsite backups and segmenting their networks, and attackers have quickly evolved to subvert these methods. 

One Extortion, Two Extortion, Three

The cat-and-mouse game that is ransomware took an ugly turn over the past year or so as attackers realized the value that organizations put on not releasing their sensitive information publicly: The brand and reputation hit can sometimes be just as damaging as being locked out of files and systems. Capitalizing on this unfortunate reality, attackers began adding the threat of leaking sensitive data as a follow-up to successful or even unsuccessful ransomware attacks when organizations were able use backups to restore their systems.  

With double extortion being so successful, attackers figured: Why stop there? In cases of triple extortion, attackers threaten to release data about downstream partners and customers to extract additional ransom payments, potentially putting the initial organization at risk of lawsuits or fines 

Some bad actors have even created a search function that allows victims to find leaked data about partners and clients as proof of the datas damaging value. A ransomware operation known as ALPHV/BlackCat may have started this trend in June, when cybercriminals posted a searchable database containing the data of nonpaying victims. The BlackCat gang went as far as to index the data repositories and give…