Threat Intelligence

Double extortion ransomware: Pay now or get breached

July 29, 2021 by Dan Virgillito

During the past few years, the sophistication of ransomware that cybercriminals use to carry out attacks has been rising. The latest ransomware threat causing problems for targets involves a hybrid tactic referred to as pay-now-or-get-breached or “double extortion.”

According to the cyber-risk firm Digital Shadows, attackers increasingly adopted this unique attack tactic in 2020. And new and lesser-known ransomware groups are expected to leverage it this year to make a name for themselves.

So what exactly is double extortion ransomware, and how does it work? Let’s find out.

What is double extortion ransomware?

Double extortion ransomware is a threat vector where a cyber gang infiltrates a target’s networks, steals heaps of sensitive data and then deploys ransomware to encrypt files. The name double extortion comes from the act they perform after.

Having taken the data, the attackers threaten to publish the data publicly unless the victim pays a ransom within the designated time frame. Also, they publish a sample of victims’ data to prove their seriousness. This increases the pressure on victims to pay while exposing them to penalties from legal watchdogs for the information breach.

While many companies are just learning about this attack tactic, it’s been around since Q4 2019. Maze ransomware was the first high-profile version of the pay-now-or-get-breached ransomware. Later, other strains followed suit.

In a security landscape update for H1 2021, F-Secure researchers stated that nearly 15 different ransomware families discovered in 2020 were stealing the data of their targets and threatening to disclose it by the end of the year. Examples of ransomware families using this ransomware technique include Clop, Ragnar Locker, Doppelpaymer and ChaCha.

How double extortion compares to standard ransomware attacks

For victims of a standard ransomware attack, a resolution exists in the form of a data backup. However, restoring information and files from a backup won’t mean much if an adversary has exfiltrated your data and is now threatening to publish it on the web or sell it on the black market. That’s what makes double extortion ransomware more effective than traditional ransomware.

In a few cases, double extortion actors even sent out ransomware emails to media persons to maximize the damage to a corporation’s image. And some groups threatened to reveal the exploits to company investors to tarnish the target organization’s stock price. All of that makes for a high-pressure situation that forces a victim to consider meeting the attacker’s demand seriously.

But it’s important to note that paying the ransom doesn’t guarantee that your data won’t be exposed or sold to other cybercriminal groups. And the issue with paying is that it motivates other ransomware groups to attack you knowing you gave in when an adversary threatened to expose your data in the past.

Ransomware groups leading the double extortion attack chain

The hacking groups that are very prosperous with double extortion attacks are also rising. By monitoring data leak sites that ransomware gangs use to publish stolen data samples, Digital Shadows found that various groups are involved in attacking organizations with ransomware.

Sites belonging to six groups (Maze, Conti, Sodinokibi, DoppelPaymer, Netwalker and Egregor) accounted for nearly 84% of the breaches last year. The remaining sites reveal several other groups, including DarkSide, Clop, Ako/Ranzy Locker, Netfilim, PYSA, SunCrypt and RansomEXX.

Although Maze was associated with most ransomware attacks in 2020, Egregor accounted for a third of breaches in Q4 2020. This rejected the notion of the Maze group vanishing from the ransomware scene as the gang’s members are speculated to be working with Egregor developers. Because of their previous knowledge of conducting successful double extortion, Maze members can help increase the sophistication of the Egregor ransomware family, making it highly dangerous to end targets.

How to defend against double extortion ransomware

It’s difficult to avoid a ransom once double extortion actors gain access to your data. The key to defending against such ransomware (or any ransomware for that matter) is to minimize your risk exposure early. Start by updating all your internet-facing devices with the latest software patches. Devices with outdated software are a breeding group for malware to carry out its exploits.

 Another defense is to deploy two-factor authentication across all staff members. This is to make it challenging for adversaries to move around your network laterally should they manage to breach an account. When they’re unable to move freely, they’re likely to disengage and take their exploit elsewhere.

Intelligent RBI platforms can neutralize all web-based ransomware risks with their advanced technology and zero-trust architecture. Features such as Smart Isolation allow RBI to render harmful web elements remotely while rendering less harmful pages locally to balance security and user experience. Besides these measures, you can look into emerging ransomware protection technologies like remote browser isolation (RB) to help secure your data against double extortion.

Protecting yourself against double extortion ransomware

Double extortion ransomware is only going to grow in 2021. Fortunately, you can take steps like installing the latest software patches and enabling two-factor authentication to avoid becoming a victim of double extortion. If you already see signs of intrusion, it can be helpful to run a full compromise assessment to know where the ransomware stands and whether you can stop it in its tracks.




  1. Egregor: The New Ransomware Variant To Watch, Digital Shadows
  2. Attack landscape update: Ransomware 2.0, automated recon, and supply chain attacks, F-Secure
Posted: July 29, 2021
Dan Virgillito
View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news. Visit his website or say hi on Twitter.