For the longest time ransomware attackers stuck to extorting ransoms by encrypting the files of victims in return for an “unlock” key.
As backup and disaster recovery made that less effective, around 2019 criminals turned to ‘double’ extortion—the tactic of threatening to publicly release data stolen during attacks.
Now it seems ransomware gangs have rapidly adopted a third maneuver: using stolen data to inform or extort the victim organization’s customers and clients. In effect, this is triple extortion.
It’s not yet clear how common this tactic is, but clues are starting to emerge in vendor surveys that its use is spreading. Does this matter? Arguably yes, because if it were to become more widespread this would extend the business risk from ransomware attacks from weeks or months to years and possibly decades.
In other words, relatively modest or unreported ransomware attacks today could presage much more serious events in the future.
According to recent a survey by security vendor Venafi of 600 IT decision makers in Europe and the United States, 26% admitted suffering a successful ransomware attack during 2021, of which 83% involved attempted double extortion, triple extortion, or a mixture of the two.
Threats of triple extortion specifically were an element of 38% of successful attacks. Overall, 8% of victims refused to pay, and were aware they’d suffered triple extortion attacks in the aftermath.
However, it’s not clear that paying a ransom is any protection, regardless of the type of extortion. Of those refusing to pay a ransom demand, 16% had their data exposed on the dark web. Ironically, they were no worse off than those who paid, 18% of whom had their data exposed anyway.
“The bad news is that attackers are following through on extortion threats, even after the ransom has been paid,” said Venafi’s president of threat intelligence, Kevin Bocek. “This means CISOs are under increased pressure because a successful attack is much more likely to create a full-scale service disruption that affects customers.”
Overall, 65% agreed that triple extortion made it harder to refuse a ransom demand.
While this survey is only one vendor’s assessment of the growth in triple extortion, it’s in these types of private statistics that new trends in ransomware often leave their first traces.
A notorious example of triple extortion was the targeting of the Finnish psychotherapy company Vastaamo in October 2020. After stealing the patient records of up to 30,000 people, the attackers contacted these people by email demanding a €200 ($220 USD) ransom to avoid sensitive personal data from being made public.
It was later revealed that the breach had happened in two stages, in 2018 and 2019, and was kept secret at the time. Whatever the reason for that reporting delay, it underlines an important feature of triple extortion—it can happen at any point in time after a successful compromise.
It doesn’t matter that the original attack was resolved without a further demand being made. If the data has leaked to the dark web, it can be repurposed by attackers for a new double or triple extortion attack months or years later.
Instead of conducting ransomware attacks, a new class of predatory criminals might buy stolen data and try their luck. If so, it could be that triple extortion is not simply another ransomware technique, but instead the blueprint for its future.