Double extortion is a type of ransomware attack. In this scenario, threat actors hold an organization’s data hostage and demand payment. The ransom amount can vary widely, and threat actors are more likely to demand very high sums—millions of dollars and up—if they believe their victim has no other choice but to comply. 

Typically, a double extortion attack includes an encryption-based ransomware attack and an additional data exfiltration attack. Once they have access to sensitive data, threat actors can threaten to publish it, share it with other hackers, or harass users directly. 

Making multiple threats helps attackers improve their chances of successfully obtaining a ransom sum. If the victim’s security controls neutralize one tactic, attackers simply move on to the next one. 

Double extortion vs. traditional ransomware attacks 

In a traditional ransomware attack, cybercriminals hold mission-critical data hostage by encrypting it. Then they demand money in exchange for a decryptor that makes the data usable again. This kind of attack surged in frequency during the 2019-2023 COVID pandemic. 

 Enterprise security leaders responded by implementing secure backups that protected their data from ransomware threats. When attackers encrypted the data, security teams simply recovered it from their backups and continued business as usual. 

 Cybercriminals now take their ransomware attacks one step further. By exfiltrating the data and analyzing it, they can identify new ways to extort victims who use backups to neutralize ransomware damage. Publishing data or harassing victims puts pressure on companies to pay, even if they successfully block the ransomware attack itself. 

The typical double extortion attack explained 

Here is a step-by-step example of a typical double extortion attack:  

1. Threat actors gain initial access to the victim’s system. They may gain access themselves or purchase it from an initial access broker. 

1. Infiltrators look for sensitive data to steal. They may scan the network or conduct lateral movement to achieve this. 

1. Once they find data, attackers exfiltrate it first. Now they have a copy of the data stored on a server they control. 

1. Ransomware is deployed to the system. This encrypts the victim’s data and prevents them from using it. 

1. Cybercriminal operators demand a ransom. The organization may choose to respond, or to run business operations off its secure backups. 

1. If the ransom is ignored, attackers then threaten to publish the exfiltrated data. Depending on the type of data stolen, this can have disastrous consequences. 

 Sometimes, double extortion attackers threaten to publish stolen user data to turn public opinion against the victim, claiming they did too little to protect their users. In other cases, they contact users directly and harass them, or use their sensitive data to steal their identities. 

In either case, the initial ransomware threat is just the first phase of a more elaborate attack. This kind of attack is becoming increasingly popular as security leaders become better equipped at mitigating simple ransomware threats. 

How to prevent double extortion attacks 

Since double extortion attacks involve ransomware, securing sensitive data with immutable backups should be an important part of your prevention strategy. However, this won’t prevent the data exfiltration element of the attack.   

Data loss prevention (DLP) technology and well-configured next-generation firewalls can help prevent attackers from exfiltrating sensitive data from your network. Designing your network architecture around zero trust principles also makes it harder for attackers to conduct lateral movement and target sensitive data.

However, preventing data loss tends to be more difficult than detecting and responding to exfiltration attempts. Strict prevention-based policies can impact usability in unexpected ways and increase shadow IT risks. 

How to detect double extortion attacks 

Organizations that attain visibility into network traffic flows and security operations can catch double extortion attempts before threat actors have a chance to launch their attack. 

Implementing the SOC Visibility Triad is one of the best ways to ensure rapid, accurate detection of data exfiltration attempts. Combine the following three technologies to reliably alert security teams when sensitive data leaves the network: 

• Security Information and Event Management (SIEM) collects and analyzes log data to identify suspicious activities and helps security teams build comprehensive security event timelines. 

• Endpoint Detection and Response (EDR) protects laptops, mobile devices, and other endpoints from malware and unauthorized access, generating valuable data when attackers try to exploit device vulnerabilities. 

• Network Detection and Response (NDR) analyzes network traffic patterns looking for evidence of malicious activity, including unauthorized transfers of sensitive data to external assets. 

What to do if your organization is targeted 

Facing a double extortion attack can be much more complex than a typical ransomware scenario. In most cases, cybercriminals will try to leverage your organization’s ethical responsibility to its users to force payment. 

 By threatening your organization’s users with identity theft and other criminal acts, cybercriminals hope to maximize the pressure to pay. However, there is no guarantee attackers will delete the data they stole upon payment.  

 In fact, threat actors have no reason to avoid attacking your users anyways. They’ve already stolen the data, after all. This is why the FBI strongly advises against paying. 

 Many of the strategies for recovering from ransomware attacks apply just as well to double extortion scenarios. Preparing ahead of time by taking out a cyber risk insurance plan can mean the difference between a positive security outcome and disastrous consequences. 

Close security gaps and protect your users from extortion with Lumifi 

Preparing for sophisticated double extortion attacks can be a daunting prospect. Attackers may gain access to your network in a variety of ways and then manipulate your users’ data against you.  

Deploy a comprehensive set of best-of-breed security technologies to detect and respond to advanced cyberattacks with Lumifi’s help. Our specialists will provide you with on-demand product expertise with 24x7 monitoring and incident response services powered by Shieldvision, our proprietary SOC automation platform.