Triple Extortion: What is it, and how to stop it?
Cybersecurity is a fast-paced arms race of constant competition between hackers and cybersecurity professionals. Triple extortion ransomware attacks are one of the newer tools in hackers’ arsenal. This can be viewed a lot like the immune system protecting the body— every year, viruses evolve and adapt, and our immune systems have to catch up with the latest strains. Learning about the latest threats can help you to prepare your cyber defenses and keep your network healthy.
Level One: Classic Ransomware
The anatomy of a ransomware attack first worked on a very basic principle— lock victims out of their data, and demand a ransom to regain access. Almost all ransomware still works on this principle. A good backup policy pretty well neutralizes classic ransomware, since victims can just restore their data from the backup. For more information on how to defend against this kind of attack, check out our general guide on protecting against ransomware. Going into 2023, these attacks are fairly basic, but a surprising number of organizations are still not well-prepared. As more organizations put good backup policies in place, hackers started getting more creative, and double extortion ransomware was born.
Level Two: Double Extortion
We covered double extortion ransomware at length in another post, and there’s a good reason why. It is steadily becoming a bigger threat, and most high profile ransomware attacks contain some element of double extortion. Almost every major company or organization has sensitive data, and double extortion ransomware targets this vulnerability. In double extortion ransomware attacks, hackers try to blackmail victims by threatening to publish their data on the internet. To do this, they create special websites on the dark web where anyone can download the information— hackers, competitors, or criminals. There can also be huge legal costs associated with data breaches, which can make double extortion costs extremely costly. This puts a lot of pressure on the victim to pay. One of the best defenses against double extortion ransomware is encryption, since you can’t blackmail people with encrypted data.
Level Three: Triple Extortion Ransomware
As if double extortion wasn’t enough, hackers are now upping the ante with triple extortion ransomware attacks. The basic principle here is the same— cause as much pain and suffering for the victim as possible until they are willing to pay to make it stop. Triple extortion ransomware can take many forms:
- DDoS attacks. If the victim of triple extortion ransom has a client-facing web interface, attackers may try to shut it down with a distributed denial of service (DDoS) attack. These attacks flood the victims servers with requests, causing them to overload and shut down. For companies that do a lot of business online, this can mean losing millions of dollars.
- Threatening to leak to the press. Attackers sometimes try to escalate pressure by threatening to leak news of the breach to the press. For high profile companies, this can be a severe blow to their reputation.
- Attacking third parties. One of the most common forms of triple extortion is demanding ransoms from parties connected to the initial victim. The most famous case of this, one of the first triple extortion attacks, where a Finnish psychotherapy clinic was attacked. After the clinic refused to pay, the hackers approached patients, threatening to publicize confidential notes from therapy sessions. Another famous example is the Quanta hack. Quanta is a supplier of chips for Apple, so they had some confidential data from Apple, which they used to get more leverage for extortion.
All triple extortion attacks expand the scope of the attack to parties other than the initial victim. In some cases, it may be to put more pressure on the initial victim, or to demand ransoms from customers or partners of the victim. In some cases, it might be both.
Responding to Triple Extortion Ransomware
Many ransomware attacks combine multiple attack methods. These attacks often come one after the other, so every time you think it’s over, the attackers come back with more demands. One of the advantages of working with a professional ransomware response firm like BeforeCrypt is having access to information about ransomware gang behavior. We have a lot of knowledge on the most common ransomware ports and provide you the necessary information about the ransomware recovery options you have at your disposal. Different ransomware operations deploy different tactics, and the more you know about their track record, the better you can plan an optimal response. It’s very important to understand the extent of the breach and what kind of pressure hackers will be able to apply. This can help to make better analysis of the costs and benefits of different courses of action.
Preventing Triple Extortion Attacks
In general, preventing triple extortion attacks is very similar to preventing double extortion attacks. The majority of triple extortion attacks use some kind of data to threaten the victim’s clients or partners. If this data is well secured and encrypted, it can greatly lower the risk of triple extortion, even if the hackers are able to lock down a network in a classic encryption ransomware attack. Besides the general security measures we covered in other posts, DDoS-based triple extortion can be prevented by using a cloud service provider with DDoS protection built in, like Cloudflare or AWS. In order to minimize inconvenience, it can be useful to handle different types of data differently. For example, sensitive data which can be used in a triple extortion attack can be subject to additional encryption and require 2-factor authentication to access. This lowers the likelihood of attackers getting their hands on it, with less disruption of operational efficiency. When it comes to ransomware, a little bit of prevention is worth a lot of cure. Ransomware attacks are a huge problem, and unfortunately they are not going away any time soon. Having a well-rehearsed plan for the event of an attack can make it much easier to make the right decisions and minimize down-time and reputational damages resulting from an attack.
If you need help preparing a ransomware response plan or responding to an attack, you can contact BeforeCrypt at any time, 24/7, for a free consultation on the Ransomware Recovery Services we provide. Our expert technicians have helped resolved hundreds of ransomware infections and are ready to help.