Double Extortion Ransomware – what is it and how do I protect my business from it?

Blog Cybersecurity

Ransomware poses a serious risk for companies. Currently, however, Double Extortion Ransomware comes more and more into the picture. But what is that in detail and how can businesses protect themselves from it? We’ll tell you in this blog post.

What is Double Extortion Ransomware?

Double extortion means “double blackmail”. This doesn’t necessarily involve multiple extortions. It rather means that cybercriminals use multiple means of pressure for their extortion. In the case of ransomware, which has been very common up until today, there is usually the same means of pressure: the encryption of the data of a computer, network or system. A ransom is demanded for the decryption. In the case of double extortion ransomware, the cybercriminals add further means of pressure to make the ransom payment as inevitable as possible.

What do cybercriminals threaten their targets with?

In many double extortions, the cybercriminals copy the data before encrypting it. They use the most sensitive information possible, such as company secrets or personal data. Later, they threaten to publish precisely this data or auction it on the darknet.

Other possible means of pressure used by cybercriminals: 

  • DDoS attacks, with which cybercriminals disable the extorted company’s website.
  • Violations of the company against regulations, e.g. the GDPR, detected by the cybercriminals. Then the ransom demands are often lower than the expected fine.

How does a typical double extortion attack proceed? 

Knowing the typical sequence of these attacks helps to protect against them more effectively.

  1. Compromising of the corporate network. For example, through a successful phishing email, via vulnerabilities not yet closed by updates, or through attacks on remote access credentials.
  2. Network propagation. The cybercriminals expand their access and research the system and its data.
  3. Data exfiltration. The cybercriminals copy as much of the company’s data as possible.
  4. Ransomware activation. Encryption of all the company’s data and systems accessible to the cybercriminals; presentation of the ransomware.
  5. Publication or auction of the copied data if the company refuses to pay the ransom. However, it can also be announced directly with the first ransom demand.

The most common ways of attack by cybercriminals

For cybercriminals, the first compromise of the corporate network is crucial. To do this, they use a big variety of attacks.

  • Phishing emails
  • Security vulnerabilities in software and hardware
  • Vulnerabilities of VPN connections
  • Brute-force attacks on remote accesses to the corporate network (these accesses are also known as Remote Desktop Protocol, or RDP for short).
  • Access data purchased on the darknet to already compromised networks

How can you better protect your company from double extortion attacks? 

Very fundamentally, you should set up your protection strategy on two tracks:

  • Thwarting successful attacks (prevention)
  • Mitigating damage from successful attacks (response)

Implementing a well thought-out basic cybersecurity protection helps a lot. In addition, we recommend specific measures to prevent typical sequences of double extortion attacks – or at least help to recognize them quickly and be able to react immediately.

Th provides particular security when supplemented with specific measures.  An effective protection strategy should be individually tailored to your company. It should cover technical, human and content-related aspects. Perseus experts will be happy to advise you on this. However, we would like to provide you with some particularly important measures already in this article.

Particularly important measures for the prevention of double extortion attacks

  • Phishing awareness training of your employees.
  • Immediate installation of updates and patches, especially for frequent attack entry points such as VPN and RDP.
  • Give access to frequent attack points only to those who really need it. If possible, secure these access points with multi-factor authentication.
  • Protect sensitive data in a targeted manner, e.g., through encryption or outsourced storage.
  • Segment the corporate network into separate areas if possible.

Particularly important mitigation measures for double extortion attacks 

  • Monitoring the system for suspicious activity.
  • Complying with the GDPR and other regulations to mitigate extortion.
  • Promoting a positive, vigilant security culture so that compromises are quickly detected and reported.
  • An emergency plan that is familiar and accessible to all employees. It must designate initial actions and contacts in the event of a cyber emergency.
  • If necessary, use hardware and software that prevents data outflows in the event of a successful compromise. Such products are also known as data loss prevention.
  • Daily backups that are kept separate from the system.
  • Strategy to easily, quickly restore the system from current back-ups.

Who can you turn to in an acute case?

Do you suspect your network has been compromised or even just faced a ransomware attack? Then act immediately:

Perseus members can count on our Incident Response every day, around the clock.

Also available around the clock is this emergency number for non-members: +49 30 233 2730 95

Further information

We would be happy to talk to you personally about double extortion and how you can better protect your company. If you would like to read more about this topic, please take a look here:

  • No More Ransom is an initiative of, among others, the National High Tech Crime Unit of the Dutch police and Europol’s European Cybercrime Center. Here you will find information on the topic and many prevention tips.
  • This report is dedicated in detail to the current situation of ransomware and the increased spread of Double Extortion Ransomware. The organization behind the report is the Royal United Service Institute (RUSI), an independent UK research institute dedicated to national and international security.