What Is Triple Extortion Ransomware and How to Prevent It

Jan 26, 2022
3 min read

Ransomware is not something new. It has its own historical existence but it's the threat actors' strategies, methods, and procedures (TTPs) that have advanced to new levels of complexity in recent years. With that expansion has come an increase in the challenge of protecting networks from costly attacks like the recent DarkSide attack on the Colonial Pipeline. The FBI confirmed in a recent statement that the ransomware attack on the Colonial Pipeline network was carried out by a professional cybercriminal outfit called DarkSide. DarkSide employs a Ransomware-as-a-Service (RaaS) model, relying on a partner program to carry out its cyber attacks. As a result, little is known about the true perpetrator of the attack at this time. Ransomware has always focused on encryption, there is a new addition with the exfiltration and threatened exposure of sensitive data in a “double extortion” attack. Threat actors must continuously come up with new strategies to increase the effect of a successful strike. One of the most recent methods is known as "triple extortion," which adds another option to extort money from targets.

What is Triple Extortion Ransomware?

Traditionally, ransomware attacks included a single "step" in which a victim was confronted with a ransom demand in exchange for the decryption key to free their systems and data. However, since 2019, when ransomware strains like DoppelPaymer gained the capacity to simultaneously lock down computers and exfiltrate data, halting a victim's operations has merely been the first step on the extortion ladder. The fear of stolen data being exposed online has been a popular point of pressure for criminals aiming for more ransom payments, a practice known as double extortion. More than 70% of ransomware attempts now exfiltrate data, demonstrating how quickly this type of attack approach has become the standard.

Threat actors have lately introduced another layer to ransomware operations based on this tactic. This latest ransomware evolution means that a ransomware attack does not end with the initial target. Ransom demands can now be made upon a victim's clients or suppliers under triple extortion. At the same time, new pressures are added to the mix, such as DDoS assaults or direct leaks to the media.

DDoS has long been linked to only one type of extortion: Ransom Denial of Service (RDoS). This is a sort of assault in which threat actors initiate a denial-of-service (DoS) attack against a victim's network and then demand payment in Bitcoin to halt. However, like with Avaddon, combining this with ransomware is rather new. It validates the underground economy's growth by allowing threat actors to rent attack services or keep associates on the payroll for extra pressure when needed.

Who Can be Affected by Triple Extortion Ransomware?

Companies and organizations that store client or customer data, as well as their own, are the most obvious targets for ransomware operations that go beyond single or double extortion. Healthcare organizations are the main targets in this regard.

As a result, the first known instance of triple extortion occurred late last year when hackers acquired access to Vastaamo, a Finnish physiotherapy provider. Threat actors have demanded money directly from the thousands of clients of Vastaamo whose records they were able to exfiltrate, rather than contacting the provider for a ransom.

Any corporation that directly or indirectly owns important data, or is connected to one, is exposed to triple extortion. Ravil's affiliates demonstrated a new type of triple extortion earlier this year when they attacked Apple after their first victim, hardware supplier Quanta, refused to pay up. Cybercriminals utilized the fear of a key supplier being hacked as leverage on their initial victim in this case. The reputational harm that such an assault may cause can be disastrous for firms in practically any industry.

How to Prevent Ransomware Attacks?

Detection and response against ransomware attacks are at best ineffective, especially since many assaults wait until they reach the domain controller to launch. Detection-centric technologies will only have warned businesses of attacks that are already ongoing at that moment.

The best course of action is to concentrate on prevention. Taking efforts to ensure that security flaws are addressed as quickly as feasible, training the staff on security awareness, and ensuring that fundamental security measures such as least privilege and multi-factor authentication have already been implemented.

Furthermore, because the majority of security breaches begin at the endpoint, safeguarding these is a good place to start. Morphisec Guard was created to protect your organization's endpoints against file-less ransomware distribution techniques that bypass all antivirus solutions.

Guard and the rest of the Morphisec Breach Prevention Platform, when used in conjunction with Windows native security measures, hardens endpoints against attack without interfering with workers' ability to do their duties. It is time to cease reacting to threat actors and instead concentrate on preventing assaults from spreading. Only then can businesses lower the likelihood of a successful ransomware assault.

Without a question, today's problems necessitate full-spectrum solutions, but nothing will transform the threat landscape until governments throughout the world take bold action. No ransomware task force will be able to solve the problem until we are willing to confront international loopholes and capture criminals who operate with impunity from particular parts of the globe.