Skip to content

Double Extortion Ransomware – a dangerous attack 


Published:

The world of cybercrime evolves rapidly and one of the most concerning developments is the rise of double extortion ransomware attacks. Unlike traditional ransomware attacks that solely focus on locking up an organization’s files, double extortion attacks add an additional layer of pressure by threatening to expose sensitive information. This blog post explores how these attacks work, why they are particularly dangerous, and what steps businesses can take to protect themselves.  

What is a double extorsion ransomware attack?

double extortion ransomware attack is a two-pronged cyberattack where hackers not only encrypt a company’s data, making it inaccessible, but also steal sensitive information before locking the files. The aim is to force victims to pay a ransom by threatening them on two fronts:  

File encryption: The attacker encrypts the organization’s critical files, rendering them unusable. To regain access, the victim is asked to pay a ransom for the decryption key.  

Data theft and exposure: Before encrypting the files, the hackers exfiltrate sensitive data, such as customer information, financial records, or proprietary business information. They then threaten to leak this data publicly or sell it to third parties or competing companies if the ransom is not paid.  

This dual threat significantly increases the pressure on victims, as even organizations with robust backup systems that allow them to recover encrypted data can face devastating consequences if sensitive information is leaked.   

How do these attacks work?

The process of a double extortion attack follows a series of methodical steps that hackers use to maximize their leverage over the victim: 

Initial access: Hackers typically gain entry into an organization’s network by exploiting vulnerabilities, such as unpatched software, phishing emails, or weak passwords.  

Network exploration: Once inside, they spend time navigating the network to locate valuable data. This might include financial records, customer data, trade secrets, or other confidential information.  

Data exfiltration: Before launching the ransomware attack, they steal this data and transfer it to their own servers. The stolen data is their bargaining chip for the second part of the attack.  

File encryption: Hackers then encrypt the remaining files on the network, making them inaccessible to the organization and leaving behind a ransom note. This note typically provides instructions for paying the ransom in exchange for the decryption key.  

Extortion threat: If the victim refuses to pay or has strong data backups, the attackers apply further pressure by threatening to leak or sell the stolen data, creating a significant reputational

A double-double extortion ransomware attack

A small industrial company in Värmland, Sweden, was hit by a double extortion ransomware attack in August 2024. The attack followed the usual attack pattern and the data was encrypted, hindering the company from accessing it. The attackers then proceeded to threaten to publish the information online if the ransom was not paid. What made this attack unique is that the company was subjected to a double extortion attack from two hacker groups simultaneously. This makes it twice as expensive and could take twice as long to recover from. Being attacked by two different groups at the same time is very rare but suggests that this company had a vulnerability that multiple hackers took advantage of simultaneously. One of our cyber security experts, Joel Cedersjö, shared his insights into the attack through an interview with Sverige Radio, which you can listen to here.

Protecting your organization

Defending against double extortion ransomware attacks requires a multi-layered approach to cybersecurity. Here are some key measures organizations can take:  

Regular software updates: Ensure all systems are up to date with the latest security patches to close vulnerabilities that attackers might exploit.  

Employee training: Educate staff about phishing attacks and safe online behavior, as phishing emails are a common entry point for ransomware.  

Data backup and encryption: Regularly back up critical data and store it securely, ensuring it is encrypted to prevent unauthorized access. Having offline backups can also help in restoring systems without paying a ransom.  

Network monitoring and incident response: Implement proactive monitoring to detect any suspicious activities in the network. Establish a robust incident response plan to quickly address breaches.  

Data protection measures: Encrypt sensitive data and implement strict access controls so that even if hackers gain access to the network, the data is more difficult to extract or misuse.  

At NTT Security Holdings, we remain committed to defending organizations against the threat from double extortion ransomware attacks and providing actionable intelligence to our customers. By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation.  

Contact us to learn how we can help protect your business from supply chain attacks. 

By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation. Let’s prioritize cybersecurity and work together to ensure a safer digital environment for all. Fill in the form and we’ll contact you.