Ransomware Attackers Turn to Double Extortion

Hilary Tuttle


March 1, 2021

Last fall, clients of Finnish psychotherapy services provider Vastaamo were personally blackmailed after a data breach of the firm’s medical records. The attacker stole thousands of records after breaching Vastaamo in 2018, returned to steal more in 2019, and then tried to turn the data breach into profit in September 2020. Attempting to extort the center into paying a ransom, the hacker leaked the data of 300 patients, and demanded payment in bitcoin to prevent exposure of up to 40,000 more patients’ information. The hacker then tried to blackmail individual patients directly, threatening to expose documents containing everything from personal identity codes to therapy session transcripts if they did not pay a few hundred euros’ worth of bitcoin.

“With up to tens of thousands of clients now concerned about the availability of their sensitive, personal data on the dark web, this is one of most disturbing examples of gross misuse of patient records in recent history,” said Adam Bangle, vice president for Europe, the Middle East and Africa at BlackBerry. “The health care industry appeals to hackers due to the nature of the data it handles, the amount of internet of things devices collecting sensitive data, the continued use of insecure, legacy devices and the fact that IT and security teams in the health sector lack the resources to deal with the modern threat landscape. Sadly, ransomware and information stealers are the most common type of malware used against the healthcare sector.”

While the Vastaamo case is notable and fairly unique for the attempts to extort both the organization and its clients, another form of double extortion has grown far more common over the past two years, combining ransomware and information theft in attacks against health care organizations and other sensitive industries. Looking to secure payments and increase profits, an increasing number of cybercriminals are launching two-phase attacks using both ransomware and data exfiltration. Cybersecurity experts refer to such attacks with a number of terms, including “double extortion,” “name and shame” and “encryption+exfiltration.”

Many ransomware attackers who get into enterprise systems just use their ability to disrupt the organization’s access to data or systems or threaten data destruction in the event of nonpayment, but some are now delving into that data and leveraging sensitive information, threatening to publish it online if victims do not pay up.

“These days, the criminals don’t just squeeze you to pay up for the decryption key to unscramble your whole network and get your business going again. They also menace you to pay for their ‘cooperation’ in deleting the data they stole instead of leaking it to the world, or auctioning it off to other crooks, or both,” explained Paul Ducklin, from the Naked Security blog by cybersecurity firm Sophos. “It’s a bit like being kidnapped and blackmailed at the same time: even if you have a way out of one crisis, such as a recent and reliable backup to recover your own files, the crooks have a second hold over you.”

Starting in late-2019, the criminals behind a ransomware variant called Maze made headlines for adopting a “name and shame” tactic. Maze attackers operate a public-facing website that publishes stolen data of victims who do not pay. The practice adds credence to the threats from attackers; heightens the prospect of widespread attention and reputation damage resulting from the hack; and raises the specter of fines, lawsuits and regulatory scrutiny resulting from the exposure of sensitive data. This has contributed to more frequent ransom payments and higher sums demanded.

Other cybercriminal groups have adopted the tactic, including the attackers behind well-publicized ransomware strains REvil and Sodinokibi. These operations are more sophisticated and targeted than many widespread ransomware attacks. The attackers will first gain access to the victim enterprise’s network, seek out valuable data and exfiltrate it before ultimately deploying the ransomware in a separate stage of the attack. In addition to demanding a ransom for the decryption key, the hackers frequently publish a small amount of the data to demonstrate what they have exfiltrated, and then demand another payment to prevent further data from being released. Some may also offer the data for sale on the dark web.

“This approach gives attackers several lucrative bites at the cherry and ramps up pressure on the unfortunate victim,” said Greg Foss, senior cybersecurity strategist at VMware Carbon Black. “First, and most obvious, they can demand a ransom in return for unencrypting systems. Second, if victims resist, the attacker threatens to publish the data they have stolen as proof of the attack and to cause major reputation and regulatory damage, as well as exposing trade secrets. Some groups even pitch their ransom demands based on the likely fines that businesses would face if a breach becomes public. Third, if the victim still resists paying the ransom, the stolen data can still be sold on the dark web, offering another revenue stream.”

Given the reputation and regulatory implications, these attacks have frequently targeted professional and financial services enterprises like law firms and banks. Foss also noted that attackers are taking more time “identifying lucrative targets—those with minimal tolerance for downtime or a lot of valuable IP, such as manufacturers and research companies.”

Attackers have also focused heavily on health care. As Bangle noted, BlackBerry researchers found that health care organizations are the most likely to pay ransoms, “due to the critical nature of the targeted data.” Many cybercriminals are seizing the opportunity posed by the need to maintain operations and the high value of medical records to potential buyers on the black market. For example, University Hospital New Jersey paid a $670,000 ransom in September to attackers who threatened to publish stolen data, including patient information. The Hospital Group, a U.K.-based cosmetic and weight loss surgery chain, faced a ransomware attack in December in which attackers obtained and threatened to leak patients’ before-and-after photos, including those of celebrity clients.

Threat analysts and incident responders logged a notable increase in double-extortion cases in 2020 and have tied the rise of “name and shame” to a rise in ransom demands as well. Incident response firm Coveware reported that ransomware demands increased by almost a third between the second and third quarters of 2020, while cases in their data set including a threat to publish stolen data rose to almost 50%.

Moving Forward

By the end of the next quarter, Coveware reported the rate of ransomware attacks involving data exposure threats rose to 70%, up 43% from Q3 to Q4. Yet the end of 2020 may also mark a turning point in data exfiltration tactics. In Q3, 75% of enterprises facing this threat paid the ransom, but that figure dropped to 60% in Q4.

The firm believes these attacks are resulting in fewer payouts because “trust that stolen data will be deleted is eroding.” As detailed in its newest quarterly ransomware report, “Coveware continues to witness signs that stolen data is not deleted or purged after payment. Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur.”

The firm also believes the lower payout rate has led to a reduction of payment sums from victims, noting the average payment decreased 34% to $154,108 and the median payment fell 55% to $49,450 from Q3 to Q4.

Yet incident responders caution there is another rising problem. Ransomware still pays, and the number of hackers looking for payouts remains high, especially as these malware strains are available on the dark web under the ransomware-as-a-service (RaaS) model. While the technology and many of the targeted deployments reflect a high level of sophistication, the RaaS model broadens the range of hackers who can use it to include less experienced actors who may use more destructive tactics—either intentionally or just accidentally.

“In Q4, Coveware received multiple reports from victims that entire clusters of servers and data shares had been permanently wiped out, with no recourse for retrieving the data even with the purchase of the decryption key,” the firm reported. “Ransomware actors are typically attentive when it comes to deleting data, as they know victims are only incentivized to pay for a tool if the data is still there, and merely encrypted. The uptick in haphazard data destruction has led some victims to suffer significant data loss and extended business interruption as they struggle to rebuild systems from scratch. It remains unclear whether these events have been outliers or a symptom of less-experienced bad actors handling the attack execution.”

For companies that face a double-extortion attack and ultimately choose to pay a ransom, Coveware advises victims to expect:

  • The threat actor may not destroy the data. Victims should assume it might be traded, sold, misplaced, or held for a second/future extortion attempt.
  • Stolen data may have been held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies to extort the victim later.
  • Before a victim can even respond to an extortion attempt, the data may be deliberately or mistakenly published anyway.
  • The threat actor may not deliver complete records of what they took, even if they explicitly promise to provide such artifacts after payment.

Hilary Tuttle is managing editor of Risk Management.