What is double extortion?

Double extortion ransomware is a type of attack that encrypts systems and steals data. It then threatens to make the data public if the ransom is not paid. The Maze gang came up with this method, which puts more pressure on victims. Even if they get their data back, the Maze gang can leak or sell stolen patient data.

According to an article by BleepingComputer, which reviewed the FBI’s December 2019 private-sector Flash Alert, the FBI warned U.S. companies about Maze ransomware after seeing attacks on U.S. victims starting in November 2019. Attackers often get in through phishing emails, weak RDP or VPN passwords, or software that has not been updated.

Double extortion attacks are different from regular ransomware attacks because they turn an IT outage into a full breach, which increases the risks of not following HIPAA rules and hurting your reputation. To protect against it, healthcare organizations should use best practices like multi-factor authentication, patching, segmentation, training, and backups. They should also use healthcare-grade email security, like Paubox's encrypted email with inbound threat protection.

Double extortion vs ransomware

One Scientific Reports paper noted that double extortion “highlights the evolution of ransomware, starting with prominent early families such as Maze and GandCrab, moving through increasingly sophisticated and widespread ransomware, such as NetWalker, LockBit, and BlackCat, and extending to recent threats, such as Lockbit3 and StopCrypt, in 2024.”

In a double extortion attack, hackers encrypt systems and steal data at the same time. They then demand payment to decrypt the data and keep it from being made public.

On the other hand, traditional ransomware just locks or encrypts files, making it impossible for the victim to use them. Double extortion raises the stakes by threatening to publish private information. Victims lose money, as well as having to pay fines and be responsible for data breaches. The paper also offers, “Maze pioneered the double extortion tactic, encrypting data while threatening to leak it. It targeted large corporations, causing both financial and reputational harm.”

Why attackers steal data first

Attackers steal (exfiltrate) data before or during encryption to have more power over the victim. If you hold stolen data hostage, the victim might pay to keep the breach from being announced or leaked to the public, even if they have backups to restore their systems. Exfiltration also lets attackers attack backups. They often wait to deploy the encryption so that they can also infect or damage backup systems.

A Network Security paper illustrates how the attack operates, stating, “Only three days after the honeypot went live, hackers began to exploit it with a variety of ransomware attacks. In order to infiltrate the system, they began by targeting publicly accessible remote administration interfaces. It is through these interfaces that network operators provide technicians with access to the network and troubleshoot any issues or carry out maintenance work. In other words, the interface offers individuals the ability to perform privileged actions, making it a valuable mark for these hackers.”

The strategy makes businesses think they cannot just restore, which makes them more likely to pay. Also, stolen health care data, like patient records and financial information, is very valuable on black markets, so criminals can make money even if the victim does not pay. Data theft makes things worse by threatening fines from regulators, lawsuits, and harm to patients, in addition to system disruption.

Why backups are not enough

Regular backups remain essential because they give organizations a recovery path after encryption. As Sittig and Singh explain in an Applied Clinical Informatics study, “Once the attack has been launched, users have three basic options: 1) try to restore their data from a backup; 2) pay the ransom; or 3) lose their data.” Even with clean backups, a ransomware victim still faces the loss of privacy: exfiltrated data can be leaked or sold, causing HIPAA breaches and reputational damage. Attackers know that they can compromise or delete backups before triggering the attack, so they often try to do so.

An HHS factsheet on ransomware notes that some ransomware strains remove or disrupt online backups and recommends offline, immutable backups instead. Thus, while frequent backups (and tested restores) are essential for restoring operations, they do not prevent stolen data from becoming a liability. The HHS factsheet goes on to state, “Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.”

How healthcare can reduce risk

HIPAA requires that data be encrypted both when it is being sent and when it is not. Organizations should also use the most up-to-date standards for email and TLS security. Backups that are not connected to the internet (air-gapped) should be kept and tested for recovery on a regular basis. HHS and CISA both stress having a response plan: if ransomware is detected, immediately isolate infected machines (halt the attack) and activate your incident response procedures.

Healthcare organizations should also put in place email-specific security measures. Since email is the most common way for hackers to get into healthcare systems, it is best to use a HIPAA compliant email service that filters out incoming threats. Paubox has a safe email suite that encrypts all messages by default and looks for ransomware, malware, phishing links, and fake senders in incoming email.

FAQs

What is phishing?

Phishing is a social engineering attack where cybercriminals trick people into sharing passwords, clicking on malicious links, opening infected attachments, or approving unauthorized access.

Why do attackers use phishing before extortion?

Attackers use phishing because it targets people instead of only technical systems.

What are common signs of phishing?

Common signs include urgent language, unexpected attachments, suspicious links, login requests, payment changes, sender address mismatches, grammar errors, unusual tone, and requests that bypass normal procedures.