Ransomware is a serious risk for companies. Currently, however, there is more and more talk of Double Extortion ransomware. What is it, what do these attacks mean for companies and how can you protect yourself? We’ll tell you in this blog post.

What is Double Extortion ransomware?

Double extortion translates to “double extortion”. This does not necessarily involve multiple blackmail, but the cybercriminals use several means of extortion for their blackmail. With the ransomware that has been common up to now, there is usually a means of exerting pressure: the data of a computer, network or system is encrypted. A ransom is demanded for decryption. In the case of Double Extortion ransomware, the cybercriminals add further leverage to make the ransom payment as unavoidable as possible for the blackmailed company.

What do cybercriminals threaten with in the event of a double extortion?

In many double extortions, the cybercriminals copy the data before it is encrypted. In doing so, they prefer information that is as sensitive as possible, such as company secrets or personal data. Later, they threaten to publish exactly this data or auction it off on the darknet.

Other possible means of pressure by cybercriminals:

• DDoS attacks that cybercriminals use to render the website of the blackmailed company unusable.
• Violations of regulations by the company detected by the cybercriminals, such as the GDPR. Then the ransom demands are often below the expected fine.

How does a typical double extortion attack work?

Knowing the typical sequence of these attacks helps to protect yourself more effectively from them.

1. Compromise of the corporate network. For example, through a successful phishing e-mail, about security gaps that have not yet been closed by updates or through attacks on remote access access.
2. Distribution in the network. The cybercriminals expand their access and explore the system and its data.
3. Data exfiltration. The cybercriminals copy as much of the company’s data as possible and as sensitive as possible.
4. Activation of the ransomware. Encryption of all data and systems of the company accessible to cybercriminals; Presentation of the ransom note.
5. The publication or auction of the copied data can be threatened if the company refuses to pay the ransom. However, it can also be promised directly with the first ransom demand.

The most common attack vectors used by cybercriminals

For cybercriminals, the first compromise of the corporate network is crucial. To do this, they use different attack paths:

• Phishing emails
• Vulnerabilities in software and hardware
• Vulnerabilities of VPN connections
• Brute force attacks on remote access to the corporate network (these accesses are also known as Remote Desktop Protocol, RDP for short).
• Credentials purchased on the dark web to networks that have already been compromised

How can you better protect your company against double extortion attacks?

Fundamentally, you should set up your protection strategy in two ways:

• Prevention of successful attacks (prevention)
• Damage control on successful attacks (reaction)

Implementing a well-thought-out cybersecurity baseline protection already makes a big difference. In addition, we recommend specific measures to prevent typical processes of double extortion attacks – or at least to detect them quickly and be able to react immediately.

A consistently implemented Zero Trust model, which is supplemented with specific measures, offers special protection.

An effective protection strategy is individually tailored to your company – including its technical, human and content-related conditions, possibilities and limits. The experts at Perseus will be happy to advise you on this.

However, we would like to provide you with some particularly important measures here.

Particularly important measures to prevent double extortion attacks

• Anti-phishing awareness and training of your employees
• Immediate application of updates and patches, especially for common points of attack such as VPN and RDP.
• Give access to common points of attack only to those who really need them. Secure these accesses with multi-factor authentication if possible.
• Protect sensitive data in a targeted manner, e.g. through encryption or outsourced storage.
• Segmentation of the company network into areas that are as separate as possible.

Particularly important measures for damage limitation in double extortion attacks

• Monitoring of the system for suspicious processes.
• Comply with GDPR and other regulations to reduce blackmail.
• Promote a positive, attentive security culture so that compromises are quickly detected and reported. Only then can an appropriate response be made.
• A contingency plan that is familiar and accessible to all employees. He must name initial measures and contact persons for the cyber emergency.
• If necessary, use hardware and software that prevents data leaks in the event of a successful compromise. Such products are also known as data loss prevention.
• Up-to-date backups stored separately from the system
• Strategy to easily and quickly restore the system from recent backups

Who can you contact in an acute case?

Do you suspect a compromise of your network or even have a ransom demand in front of you? Then act immediately:

Perseus members can count on our incident response around the clock, every day.

Learn more

In a personal conversation, we will be happy to advise you on the topic of double extortion and how you can better protect your company. If you would like to read up on this topic, take a look here:

• No More Ransom is an initiative of the Dutch police’s National High Tech Crime Unit and Europol’s European Cybercrime Center, among others. Here you will find information on the topic and many prevention tips.
• This report takes a detailed look at the current state of ransomware and the increased prevalence of Double Extortion Ransomware. The organization behind the report is the Royal United Service Institute (RUSI), an independent British research institute dedicated to national and international security.