Security Experts:

Connect with us

Hi, what are you looking for?



Double Extortion: Ransomware’s New Normal Combining Encryption with Data Theft

‘Double extortion’ is the term given to an evolving ransomware tactic: first steal confidential data, then encrypt the victim’s files. If the victim doesn’t pay the ransom, expose the data.

‘Double extortion’ is the term given to an evolving ransomware tactic: first steal confidential data, then encrypt the victim’s files. If the victim doesn’t pay the ransom, expose the data.

The first published example of a double extortion attack, according to Check Point Research, came with the attack against Allied Universal in November 2019. When the firm declined to pay a massive ransom of 300 bitcoins (more than $2 million at today’s rates), the attackers hiked the ransom demand by 50%, and threatened to use stolen data together with stolen email and domain name certificates in a spam campaign impersonating Allied Universal.

To demonstrate their capability, the hackers published some of the stolen data, including contracts, medical records, and encryption certificates. In a later post on a Russian underground forum, they posted a link to “10% of data we have exfiltrated.” They added, “We give them 2 weeks until we send other 90% of data to wikileaks. Other 90% is a quite interesting part… Time is ticking.”

The ransomware used was Maze. Brian Krebs highlighted the Maze gang’s use of double extortion in December 2019, while Proofpoint appeared to give the same gang its own internal tracking name, TA2101, in November 2019. At the time, Proofpoint commented, “Between October 16 and November 12, 2019, Proofpoint researchers observed the actor sending malicious email messages to organizations in Germany, Italy, and the United States, targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing, and healthcare.”

Krebs reported that the Maze gang developed a website listing its victims who had declined to pay the ransom. Check Point demonstrates that this website is actively maintained. While it was originally listing eight victims who apparently “do not wish to cooperate with us”, there are now many more. One victim was BetUS, a major online gambling site registered in The Netherlands (WHOIS says the registrar is http://_domains_gesloten_cw; ‘gesloten’ is Dutch for ‘closed’). The website is owned and operated by Firepower Trading Ltd situated in Nicosia. There is no apparent admission of a security incident on the BetUS website — but TA2101 follows through with its threats.

According to reports in March 2020, the gang published proof of stolen data comprising almost 1 gigabyte that includes minutes of board meetings, bank forms and some passport scans of company executives. Interestingly, it doesn’t appear as if any personal customer data has yet been leaked — which could be because there was none stolen, or BetUS subsequently paid the ransom. Without clarification from BetUS (or the hackers) we will never know. SecurityWeek has asked for clarification from BetUS, and will append any reply to this article.

“Maze,” say the Check Point researchers, “has since published the details of dozens of companies, law firms, medical service providers and insurance companies who have not given in to their demands. It is estimated that many other companies avoided publication of their sensitive data by paying the ransom demanded.”

The biggest concern for enterprises is that the ‘double extortion’ approach seems to be spreading. One of the first hacking groups using the same tactic is the Sodinokibi/REvil group, which compromised Travelex  at the end of December 2019. Travelex had to shut down operations in early January, but was running before the end of the month — suggesting that it paid the ransom. In fact, The Wall Street Journal reported (paywalled) last week that Travelex paid a ransom of approximately $2.3 million in bitcoins. 

The REvil group also has a website, which it calls ‘Happy Blog’, where it publishes a list of its victims. “The National Eating Disorders Association was one of the last in the list of victim organizations,” says Check Point, “but has since been deleted from the REvil’s blog.”

Additional attackers that have joined the trend, says Check Point, “include Clop ransomware, Nemty, DopplelPaymer Mexican Oil Company Pemex Hit by Ransomware and more. Information published on these sites was soon found to be offered for sale by the ransomware group itself or by other criminals who collected the data from the dumpsites.”

On March 18, 2020, the Maze group released an official press release. Referring to the current COVID-19 pandemic, it announced, “We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus.” But this is not a complete amnesty— TA2101 is continuing to attack other organizations, while other hackers are still attacking healthcare institutions.

It may be that the evolution of double extortion is the natural evolution of ransomware — first from consumer attacks to targeted business attacks, and now with the added double jeopardy of data blackmail. This may be the new normal for ransomware.

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft 

Related: New Snake Ransomware Targets ICS Processes 

Related: Durham City, County Recovering After Ransomware Attack 

Related: Legal Services Firm Epiq Hit by Ransomware 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...