Almost hand-in-hand with the growth of RaaS has been the expansion of the extortion ecosystem. As ransomware groups saw a drop in the number of victims willing to pay a ransom to decrypt their files, the attackers had to go to more extreme lengths to wrestle payment from their victims. As discussed on the "History of Ransomware
" page, MAZE was the first ransomware group to create an extortion site for stolen files, but other groups quickly followed suit, to the point where it’s unusual for a ransomware group to lack an extortion site. The image below shows an example.
Double extortion isn’t enough. Ransomware groups have expanded the extortion ecosystem in ways designed to maximize their chance of getting a ransom payment from victims. Ransomware actors have threatened to launch DDoS attacks against victims who refuse to pay, have used call centers to call customers of ransomware victims to try to get those customers to convince the victims to pay, and have even attempted to blackmail corporate executives. In addition, ransomware groups routinely try to find information about cyber insurance policies during the reconnaissance phase of the ransomware attack. Ransomware actors often cite these policies during negotiations.
Several ransomware groups have threatened to sell information about the ransomware attacks to stock markets or unscrupulous traders who could use the information to short victim companies’ stock.
And ransomware groups are just getting started. Paying a ransom continues to be frowned upon and, some have argued, should be illegal. As a result, ransomware groups have to go to greater lengths to convince organizations that not paying a ransom is going to be more expensive than paying the ransom and suffering the associated consequences.
In fact, in September 2021, several ransomware groups took these threats to the next level by threatening to delete the files and decryption key of any victim that called law enforcement or brought in a ransomware negotiator. The screenshot above shows a notice posted to the DoppelPaymer ransomware extortion site, threatening to do just that. DoppelPaymer is just one example of a ransomware group doing this, others include Grief, BlackMatter, and REvil.