Triple Threat Ransomware


It is in the financial interests of ransomware developers to keep adding new features to their code as long as possible. These malicious pieces of software will likely continue to enrich a large number of cybercriminals, from developers to affiliates, at the expense of innocent victims for the foreseeable future. According to Unit 42’s research, the average ransom demand increased by more than 500 percent between 2020 and 2021, while the average ransom payout increased by 82 percent during the same period.

Ransomware has traditionally focused on data encryption, with the exfiltration and threatened exposure of sensitive data in a “double extortion” attack being one of the most popular recent additions to the ransomware repertoire. However, because the financial incentives are so great, threat actors must constantly come up with new ways to maximize the impact of a successful attack to remain competitive. One of the most recent methods is referred to as “triple extortion,” and it adds yet another avenue for extorting money from victims.


Make an appointment to see a demonstration of Morphisec.
Nowadays, ransomware attacks have evolved from the relatively simple attempts to turn victim downtime into profit that they were in the past, to the point where they are multi-layered to the point where attacks do not necessarily have to “end.” Even the term “ransomware attack,” which refers to a specific type of problem, is becoming a misnomer as time goes on. Modern ransomware attack chains are becoming more and more similar to a layered hierarchy of ransomware-based threats as ransomware technologies and methods continue to evolve.

Traditionally, ransomware attacks consisted of a single “stage” in which a victim was confronted with a ransom demand in exchange for the decryption key that would allow them to regain access to their systems and data. Paralyzing a victim’s operations, on the other hand, has only been a first step on the extortion ladder since 2019, when ransomware strains such as DoppelPaymer developed the capability to lock down systems while also exfiltrating data at the same time.

A common point of leverage for criminals seeking additional ransom payments has been the threat of stolen data being published online, which has come to be known as “double extortion.” More than 70% of ransomware attacks now also exfiltrate data, demonstrating how quickly this type of attack methodology has become the standard practice in the industry.

Threat actors have recently added another layer to ransomware attacks, which is based on this methodology. Overall, this latest development in ransomware indicates that the attacker’s malicious activity is no longer limited to the initial target. In the context of triple extortion, ransom demands can now be made against a victim’s clients or suppliers as well. Added to this are pressure points such as DDoS attacks and direct leaks to the media, which are all thrown into the mix for good measure.

Despite the fact that triple extortion was first observed only a year ago, this type of multi-layered extortion capability has quickly become a valuable selling point for ransomware developers such as REvil.


Obviously, the most obvious targets for ransomware attacks that go beyond simple or double extortion are businesses and organisations that store both client and customer data as well as their own information. Organizations involved in the provision of healthcare are obvious targets in this regard.

As a result, hackers gained access to the Finnish physiotherapy provider Vastaamo late last year, resulting in the first documented instance of triple extortion. To avoid paying the ransom to the provider, threat actors made ransom demands directly to the thousands of Vastaamo customers whose records they had obtained through data exfiltration as well.

The risk of triple extortion is higher for any business that either directly or indirectly controls valuable data or is connected to a company that does. A different variation on triple extortion was demonstrated earlier this year when affiliates of REvil launched an attack on Apple after their initial victim, hardware supplier Quanta, failed to make good on their payment obligations. When it came to this particular incident, cybercriminals used the threat that a major supplier would be compromised as leverage against their initial victim. An attack like this can have devastating consequences for organisations in almost any industry when it comes to reputational damage.


While the fact that threat actors are constantly inventing new ways to extort victims is unsurprising, the fact that triple extortion has become commonplace does not mean that the threat posed by ransomware has reached a point of no return. Instead, it merely serves to warn organisations that, once they have breached your network, threat actors will stop at nothing to ensure that you pay their ransom.

What should an organisation do in this situation? When it comes to ransomware attacks, detection and response are at best ineffective, especially because many attacks wait until they reach the domain controller before launching their attacks. The only thing that will have happened by then is that detection-centric tools will have only alerted organisations to attacks that they are already involved in.

The best course of action in this situation is to concentrate on prevention. taking steps to ensure that security holes are patched as soon as possible, educating employees on security awareness, and ensuring that fundamental security measures have already been implemented, such as applying the principles of least privilege and multi-factor authentication, are all examples of proactive measures.

Furthermore, because the vast majority of breaches begin at the endpoint, securing these devices is an excellent place to begin securing your network. Morphisec Guard was created specifically for the purpose of protecting your organization’s endpoints from the types of fileless ransomware delivery methods that bypass the detection of all antivirus solutions.

When used in conjunction with Windows native security controls, Guard and the rest of the Morphisec Breach Prevention Platform harden endpoints against attack without interfering with employees’ ability to perform their jobs. Instead of focusing on containing threat actors, it’s time to shift our attention to preventing attacks from becoming more sophisticated. Only in this way can organisations reduce the likelihood of a ransomware attack being successful.