New Ransomware Tactic Called “Double Extortion” Discovered

Double Extortion Featured

As we’ve covered before, malware developers have moved their focus away from doing periodic damage and into making a career of it. There was a big surge in ransomware around 2017 when WannaCry started making the rounds and showing budding hackers what could be possible.

Since then, however, cybersecurity has tightened around ransomware. Companies rose up to combat the ransomware attacks by cracking open encryption and creating data backups. Windows 10 even has a special ransomware protection setting built into it these days. Now that everyone has backed up their data to respond to ransomware attacks, the threat has been reduced.

In response, malware developers have created a new strain of ransomware: the double extortion strain. This method attacks businesses by adding an extra layer that renders a backup potentially useless.

How Does the New Attack Work?

As you may guess from the name, “double extortion” works by attacking the business twice over. It still uses a database-encryption attack to extort money, but it adds an extra initial attack to ensure a backup doesn’t render the attack useless.

First, before the malware developer attacks with ransomware, they breach in the company’s database. They extract as much data as they can and store it on their servers. After that, they conduct the ransomware attack as normal.

Double Extortion Data Theft

This extra step turns a regular ransomware attack into something businesses can’t ignore. With the data in the hacker’s hands, they can add additional terms to the ransomware attack. For example, if the hacker managed to get ahold of sensitive personal information, they can demand payment to stop the hackers from leaking the information to the public.

The hackers can also use this position of power to slowly apply pressure to someone who won’t pay. For example, they could begin releasing the data on the dark web in small amounts to prove to the victim that they actually have the data.

This strategy defeats any backups the user has. Even if the target can easily recover the data that was encrypted, the threat of a data leak will still do much damage. This is what makes a double extortion attack so deadly, as it defeats any ransomware protection the target has set up.

How Do Companies Protect Against this New Attack?

The security company that broke this news, Checkpoint, recommends reading their article on how to protect yourself from a ransomware attack. The article handles regular ransomware precaution methods, so the first point of making backups isn’t so useful in light of double extortion tactics.

However, the other points are still worthwhile. The best way to prevent this attack is to not allow hackers access to the databases in the first place. Without the data, the hacker can’t make ransom demands.

Double Extortion Medical

Unfortunately, due to the coronavirus outbreak, some hackers have targeted hospitals to capitalize on the chaos. As such, healthcare organizations have to step up their defenses to protect themselves from this new strain of ransomware.

A New Era of Ransomware

The cybersecurity world stepped up to stop ransomware, so the ransomware developers have raised their game. Now, a malicious agent will also extract sensitive data to use as leverage for their payment. It’s essential that businesses such as hospitals ensure that no rogue agents get in whatsoever, as even a backup won’t fully solve this new threat.

Are you worried about this new wave of attack, given how vulnerable hospitals are right now? Let us know below.

Simon Batt Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.


  1. Backups are will always be a fundamental measure in securing data. There are many reasons for making backups, other than malware. Natural disasters still occur. So do power outages and disk crashes.

    “It’s essential that businesses such as hospitals ensure that no rogue agents get in whatsoever”
    With Microsoft and Google getting into centralized storage of medical data, the chances of that data being compromised just has increased. Whether by them or hackers is immaterial.

    Centralized storage of data, while convenient, creates bigger and bigger targets for hackers and malware. Instead of having to attack/compromise millions of databases, bad agents now only have to attack thousands or maybe only hundreds. And it is fallacy to think that centralized data can be protected more easily. The same people tasked with securing millions of smaller databases will be tasked with protecting the hundreds of huge databases. So why should anybody expect better results?

  2. Literally, what needs to be done is that organizational data needs to be stored on air-gapped systems. Hardware needs to be designed that extracts data from that storage, encrypts it and then delivers it to a workstation where it’s needed. After it’s used, it would then be deleted (actually, overwritten -erased.)

    Because of the kind of evil done by the villains who write and use ransomware, I can also see the day coming when use of the internet by organizations will simply come slowly to an end.

    1. “Air-gapped” means self-contained with absolutely no access, at any time, to and from the outside world. Once you design hardware/software that accesses data across the air gap, you nullify the security of that air gap. The air-gapped database becomes just a mundane online one with all the vulnerabilities that come with it. Actually, any type of an access from outside, such as copying the data to any kind of recording device, can offers a vector to compromising the air-gapped system.

Comments are closed.