The use of triple extortion tactics is increasing, especially where there is a breach of vulnerable individuals.

Speaking at an event in London today, executives from Armis said that the common tactic of double extortion - where a ransomware is planted on a victim’s network and data stolen from the same victim - is used, but now it was seeing more use of a third option. This involves the threat actor going to the people listed on the breached data and extorting them too.

Nadir Izrael, CTO and co-founder of Armis, says this is commonly done where “there is Interesting clients or humans in that list, they will also go and extort money from them.” 

He cited patients as an example, as those people may not want to be exposed, so the attacker “would go in and ransom them as well.”

Empathy and Action

This comes a few weeks after the Information Commissioner said more needs to be done to protect breached data of vulnerable people, with the ICO calling for “empathy and action” when working with vulnerable people who have experienced a data breach.

According to Heimdal Security, the concept of the third element includes attackers “going after the victim’s clients, partners, affiliates, patients, associates, suppliers, etc. with ransom demands so their data will not be leaked, launching an additional Distributed Denial of Service attack (DDoS) over the target, or making phone calls to persuade them.”

A notable case was the attack on the Finnish psychotherapy centre Vastaamo in 2020, where attackers breached the clinic’s network and encrypted data, and then contacted patients with ransom demands - a threat was made to the patients that information about their therapy sessions would be made public if they fail to pay.

Seen Often?

Asked if this is something seen a lot, Michael Freeman, head of threat intelligence at Armis, said most cases that are known are where there is a requirement to report as they are a public company.

In terms of tracking the number of hits, Freeman said dark web sites and their Bitcoin wallets are monitored and when they get paid, it is seen. “It definitely happens a lot more now but since a lot of these companies are not public companies, they're not going to disclose that,” he said.

Andrew Grealy, head of Armis Labs, said some years ago, ransomware was big - but people didn’t pay, so the option moved to exfiltration as that impacted GDPR and the need to protect data, “and that stuff cost hundreds of millions of dollars, right?”

He said: “So they use that as an effort to say ‘well okay, you're not going to pay, but we're now going to make the data available’. So we saw the change from ransomware to exfiltration and when [the valuation of] Bitcoin is back up, so they're getting even more money.”

Grealy said the ransomware price would probably have been $30-40 million, but a risk analysis on a monetary penalty may show that it could be up to $150 million, so sometimes a victim will pay the ransom.

“We're going to see more and more of that in the marketplace, which makes economical sense,” Grealy said.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.