Understanding double and triple extortion ransomware

Ransomware attacks have evolved into increasingly sophisticated schemes, with cybercriminals continuously refining their methods to maximize profits. One particularly alarming trend is the adoption of double and triple extortion tactics.

As reported by the HHS, these cybercriminals are now employing remote ransomware attacks against institutions such as U.S. hospitals and medical research laboratories. This directly threatens public health and safety on the alarming extent of cybercriminal sophistication.

A troubling development for hospitals is the focus on medical devices, expanding beyond traditional targets like networks, servers, PCs, databases, and medical records. In 2023, over 630 ransomware incidents targeted healthcare institutions globally, with a substantial 460 affecting the United States alone, indicating the pressing requirement for advanced cybersecurity measures in the healthcare sector.

Understanding ransomware

According to a recent report on Q2 trends, ransomware is a booming business. The report analyzed ransomware attacks worldwide and found a staggering 67% increase in cases between Q1 and Q2. 

Ransomware is malware that holds a victim's data hostage by encrypting it or restricting access to the system. The attackers then demand a ransom in exchange for the decryption code or the restoration of system access. Cyber extortion has become a lucrative business for cybercriminals, targeting individuals, businesses, and even infrastructure.

The American Hospital Association (AHA) has indicated that ransomware attacks place significant pressure on healthcare systems still recovering financially from the pandemic. 

Read more: What is cyber extortion in healthcare? 

What is double extortion?

Double extortion occurs when cybercriminals encrypt an organization's data and exfiltrate it before carrying out the encryption. By exfiltrating the data, the attackers gain an advantage over the organization. They can demand a ransom in exchange for not publicly releasing the stolen data or selling it to third parties. This tactic adds an additional layer of pressure on the victim, as releasing sensitive information can have severe consequences, such as reputational damage, regulatory fines, and legal implications.

In recent years, ransomware groups have increasingly used double extortion to increase their chances of receiving a ransom payment. They are encrypting the victim's data and threatening to expose it unless the ransom is paid. This tactic has proven highly effective, as organizations are more likely to pay to prevent the public disclosure of sensitive information.

Read also: Refusal to pay is the newest strategy to combat ransom attacks

What is triple extortion?

Triple extortion takes the double extortion tactic a step further by adding another layer of pressure on the victim. In addition to encrypting the data and threatening to release it, cybercriminals may employ additional tactics to extort funds from the victim. These tactics can include contacting individual victims whose data has been compromised, encrypting more of the organization's environment, or threatening the victim with a secondary attack, such as a distributed denial-of-service (DDoS) attack.

The goal of triple extortion is to further complicate the attack and increase the stakes for the victim. Cybercriminals try to maximize their chances of receiving a ransom payment by employing multiple extortion tactics simultaneously. The added pressure of potential downtime, reputational damage, regulatory consequences, or other adverse outcomes can push organizations to comply with the attackers' demands.

Read more: What is a DDoS attack? 

The value of data exfiltration in ransomware

Data exfiltration has become a valuable tool for ransomware groups. By stealing sensitive information, such as customer data, intellectual property, or trade secrets, cybercriminals can further incentivize organizations to pay the ransom. The release or threatened release of exfiltrated data can have serious consequences for the victim, including reputational harm, regulatory investigations, and legal penalties.

Releasing exfiltrated data allows threat actors to pressure the victim to pay the ransom. The potential consequences of not paying, such as the misuse of stolen credentials or the launch of secondary attacks, can lead organizations to believe that paying the ransom is the lesser of two evils. The threat actors know that releasing sensitive information can harm the victim organization and cause collateral damage to other organizations or individuals associated with the victim.

Related: What is data exfiltration in cybersecurity? 

How to protect against extortion in ransomware attacks

According to a study titled Ransomware Attacks on Healthcare Systems: Case Studies and Mitigation Strategies, “a thorough analysis of the ethical and legal implications of ransomware assaults on healthcare institutions is needed. Stricter cybersecurity safeguards must be implemented by healthcare organisations due to regulatory responsibilities under frameworks such as GDPR and HIPAA. The necessity of tackling ransomware threats in the healthcare industry is further underscored by the ethical duties to safeguard patient confidentiality and confidence. A proactive and moral approach to cybersecurity is necessary to maintain the resilience and integrity of healthcare systems as the industry struggles with constantly changing cyberthreats.”

This is why protecting against double and triple extortion in ransomware attacks requires a multi-layered approach to cybersecurity. Organizations must implement security measures to prevent initial access by threat actors and mitigate the risk of data exfiltration. Here are some steps organizations can take to protect themselves:

Conduct data backups

Organizations can restore their systems without paying the ransom by having up-to-date backups stored securely offline or in the cloud. Backups also provide valuable visibility into the data that exists within the organization, helping inform incident response efforts and ransom negotiations.

Implement 24/7 monitoring

Real-time monitoring of network traffic and system logs is needed to detect suspicious activities and potential ransomware attacks. Managed detection and response (MDR) solutions can provide round-the-clock monitoring, alerting organizations to unauthorized access attempts and helping them respond promptly to mitigate the risk of data exfiltration.

Strengthen identity and access management

Implementing identity and access management (IAM) practices can help prevent unauthorized access to sensitive data. This includes using multi-factor authentication (MFA), following privileged access management (PAM) best practices, and adopting a zero-trust approach to user identity. By securing user identities, organizations can reduce the risk of initial access by threat actors.

Regularly patch and update systems

Many ransomware attacks exploit known software vulnerabilities, making regular patching and updates a big part of a vulnerability management program. By promptly addressing vulnerabilities, organizations can reduce the risk of initial access by threat actors.

Educate employees about security best practices

Organizations should provide regular cybersecurity awareness training to educate employees about the risks of phishing emails, malicious attachments, and suspicious links. Organizations can reduce the likelihood of successful ransomware attacks by promoting a culture of security awareness.

In the news

Over the last few months, Paubox has extensively covered a series of ransom attacks impacting hospitals, with a focus on the rising trend of double extortion tactics. Of particular note is the recent and most significant attack on Change Healthcare, where the RansomHub group claimed possession of 4TB of stolen data, employing a double extortion strategy by threatening to make the data public unless a ransom was paid. This incident has shown the escalating threat posed by cybercriminals using multifaceted extortion tactics to exploit vulnerabilities within healthcare organizations and extract substantial ransom payments.

The attack on Change Healthcare has prompted heightened concern within healthcare cybersecurity, with experts expressing the need for stringent regulations around third-party access and security programs to counter such threats. The potential exposure of a massive trove of protected health data has reverberated across the entire healthcare ecosystem, necessitating an approach to breach liability reduction and cybersecurity measures. The evolving nature of ransomware attacks, particularly the emergence of double and triple extortion tactics, has further placed emphasis on the need for organizations to fortify their security controls and response plans to effectively combat these complex and multifaceted threats.

Read more: Nationwide pharmacy delays following Change Healthcare hack 

FAQs

Does HIPAA apply to ransomware attacks? 

Yes, HIPAA (Health Insurance Portability and Accountability Act) applies to ransomware attacks that involve the exposure or potential exposure of protected health information (PHI). Organizations subject to HIPAA regulations must take appropriate measures to prevent, detect, and respond to ransomware attacks to protect the privacy and security of PHI.

Do I need consent to pay a ransom in a ransomware attack? 

While the decision to pay a ransom in a ransomware attack is ultimately up to the affected organization, paying a ransom does not guarantee the recovery of data or the prevention of future attacks. Additionally, organizations should consider the legal and ethical implications of paying a ransom, as it may encourage further criminal activity.

What tools can I use to protect against ransomware attacks? 

There are several tools and best practices that organizations can implement to protect against ransomware attacks. These include backup solutions, endpoint protection software, network segmentation, vulnerability management programs, and employee cybersecurity training. Organizations should also consider working with cybersecurity experts to develop a detailed defense strategy tailored to their needs.