What is Double Extortion Ransomware


Ransomware is one of the most dangerous forms of cyber attacks around. It can affect organisations of any size and in any industry. For example, the NHS was hit by a WannaCry ransom attack that left the British state health system at a standstill for several days. 

CyberSecurity Ventures believes the cost to the global economy of ransomware attacks will rise to $20 billion by the end of 2022. In fact, they predict that there is a ransomware attack on a business or organisation every 11 seconds. 

What is ransomware? How would one of these malicious attacks cost your business? Who is behind them? What should you do if you’re hit with a double extortion ransomware attack? 

In this article, we’ll answer some key common questions about ransomware and help you protect your organisation from its devastating impact.

What is Ransomware?

Ransomware is a type of cyber attack where malicious software (malware) encrypts an organisation’s files, databases and applications and “holds them ransom” by asking for a large payment sum to unlock their data. 

Attackers can first gain access to your network to install the malware. Many ransomware attacks are viruses or trojans that hide in files downloaded from the internet or through an email attachment. 

Less commonly, criminals may target your organisation specifically and may even try to gain access to your physical systems to install the malware onto your network. 

A ransomware program will then use asymmetric encryption to scramble your data using complex mathematical equations and generate a public-private pair of keys. These keys are the solutions to these equations and are the only way to unlock your data. 

It may also spread across to other systems or even other organisations if it detects security vulnerabilities in your network. That’s exactly what WannaCry achieved in the NHS. 

The criminals will then demand a sum of money in exchange for the private key. 

When was the first ransomware attack? 

The AIDS Trojan, also known as the PC Cyborg virus, was responsible for the first ransomware attack ever. Back in 1989, biologist Joseph Popp sent 20,000 floppy disks to the attendees of the United Nations AIDS conference. 


The program would hide the directories and encrypt the files on the host computer’s main drive. Popp demanded $189 be sent to PC Cyborg Corporation via a PO box in Panama to regain access. 

In reality, the AIDS Trojan was pretty straightforward to crack as the encryption methods used weren’t particularly complex. However, that is not the case today – as many encryption procedures are impossible to decrypt without the private key. 

How much does a ransomware attack cost? 

If a ransomware virus successfully infects your network, all your critical files and applications will be inaccessible. Even if you don’t pay the high ransom fees, the cost of recovering data and fixing system damage is particularly dear. 

According to Sophos, the average cost of a ransomware attack on a UK business stands at an eye-watering $1.96 million (£1.7 million). 

For small and medium businesses (SMBs) that aren’t prepared to defend against an attack of this scale, a ransomware attack could be too costly to come back from. In fact, almost 60% of SMBs go out of business within six months of a cyber attack.

Who carries out ransomware attacks? 

Unlike other forms of cyber attacks, many ransomware attacks are carried out by organised groups known as ransomware gangs. There is a fair bit of infrastructure needed to facilitate these attacks – from distributing malware to accepting payment and sending private keys. 

Cybercriminals join these organisations to attack bigger targets and raise more ransom funds than they would be able to individually. 

For example, Hive is one of the most notorious ransomware gangs in operation. They pooled their resources to hit high-profile targets such as Costa Rican Social Security Fund and even the Ohio Memorial Health System.

What type of business are most likely to be a victim of a ransomware attack? 

The unfortunate truth is that any business, of any size, can be targeted for a ransomware attack. However, criminals do tend to focus their efforts on key industries. 

Trellix found that the most common industry targetted is banking & finance (22%). This is followed by: 

  • Utilities
  • Education 
  • Health
  • Government

These businesses are particularly lucrative as they are critical infrastructure, and so a loss of productivity and data in these fields is particularly catastrophic. 

However, firms in any industry should be protecting themselves from ransomware attacks. 

What is double extortion ransomware? 

A double extortion ransomware attack is where a criminal steals and exfiltrates a victim’s data alongside encrypting it. This gives the attack some more leverage to demand a successful ransom sum. 

The idea here is to find sensitive data that would be costly to leak. For personal attacks, this could be information that might embarrass or harm the reputation of the victim.

For businesses, this data could be trade secrets, customer data, information about employees etc. Attackers can also sell this stolen information to third parties or publish them on dark web forums. 

If I’m attacked, should I pay a ransom? 

Security organisations such as the NCSC and the FBI warn strongly against paying a ransom. Why? There’s no guarantee that your attacker will unlock your files if you pay the ransom fee. 

The attacker may even ask for more money if they feel your organisation will pay up. These ransom sums may even fund other criminal activities such as targetting other firms or funding other aspects of organised crime. 

You should instead invest in protecting your critical infrastructure from cyber-attacks and be prepared. 

How do I prevent a ransomware attack? 

Here are some important steps to follow to avoid a ransomware attack and mitigate the impacts of a successful infection: 

  1. Regularly back up your organisation’s data: The easiest way to recover your data is to restore it from an off-site backup. We find it best to automate this backup process – and incremental backup regimes may be an efficient way of achieving this. Remember – your backup location shouldn’t be permanently connected to your network as it also may be encrypted during an attack. 
  2. Keep multiple backups of critical files and applications: Don’t rely on one backup medium and store your critical files in multiple locations. Why not try using multiple cloud storage servers, for instance? 
  3. Close any security vulnerabilities by installing filters and antivirus software: Use cyber security tools to plug the security vectors that attackers may use to infiltrate your system. For instance, an email spam filter can help prevent email viruses. A strong antivirus program that regularly scans downloads from the Internet can detect ransomware before it attacks. 
  4. Educate your employees on cyber security best practices: Attackers use social engineering to take advantage of insider negligence. Cybersecurity training can help your employees identify suspicious files and teach them what to do in the event of an attack. 

It’s important to have a detailed response and continuity strategy to avoid costly loss of data and productivity. What actions and first response needs to be done when an attack happens? How will your security team remove the virus from your network? What is the process for restoring files from off-site backups? Who’s responsible for actioning this strategy? 

What should I do if I’m a victim of a ransomware attack? 

It’s important to have a detailed response and continuity strategy to avoid costly loss of data and productivity. 

What actions and first response needs to be done when an attack happens? How will your security team remove the virus from your network? What is the process for restoring files from off-site backups? Who’s responsible for actioning this strategy? 

As soon as you detect a ransomware attack, you should: 

  • Immediately disconnect the infected systems and mobile devices to prevent it from spreading to other devices on your network. 
  • If you believe the ransomware has already infected your network, consider shutting down network connections. 
  • Reset any passwords, especially for system administrator accounts. 
  • Any systems that are already infected should be wiped. There is unlikely to be any way to restore the data. It’s best to reinstall the OS or even replace the drives themselves. 
  • You should verify the ransomware virus is removed from your network before restoring data from a backup. If you’ve lost any data that wasn’t backed up, you may need to send your drives to a data recovery service
  • Run an antivirus to check the security health of your network. Run antivirus scans on network traffic to see if any infections remain.

Protect yourself from ransomware attacks with an MSP 

Ransomware attacks, if unprepared, can be one of the most costly forms of cyber crime to businesses of any size. However, if you’ve taken the necessary precautions, responding to these attacks can be far easier and less costly. 

To achieve this, you’ll need to have a smart and adaptable cyber security strategy. Need some help configuring backups and finding storage solutions? Want to configure a watertight antivirus and email filter? Need assistance in responding to a cyber attack quickly? 

Get in touch with our experts today to find out how we can help!

Related Blogs