Double and triple extortion tactics cornering financial services organisations

By Ian Wood, Senior Director and Head of Technology, UK&I at Veritas Technologies


Ransomware continues to keep those in the financial services industry up at night – and not without good cause. There was an alarming 105% surge in ransomware attacks last year and a according to our research, companies in the financial services space are more likely to be struggling to keep pace with their security than those from most other sectors, with nearly half (48%) stating that their data security is lagging behind their digital transformation deployments. To add to their anxiety, malicious actors continue to ramp up the threat, by adding multiple layers to their attacks, including double and triple layers of extortion.


A two-pipe problem

Double extortion, also named pay-now-or-get-breached, is where criminals not only hold systems hostage by encrypting their data, but also threaten to leak sensitive information online. This ensures that businesses still face jeopardy, even if they are confident in their ability to restore their data from backups.

The double extortion tactic has been used widely by Maze operators, however, due to its success, we are seeing its proliferation in many other attacks. According to research, double extortion ransomware attacks increased by almost 500% in 2021, with the number of attacks rising nearly 200% quarter over quarter.

Allied Universal’s Systems is cited as the first major breach in which double extortion was deployed. However, the Colonial Pipeline attack in May 2021, is by far the highest-profile case of double extortion. Here, the hacking group DarkSide stole 100 GB of data, forcing its victim to pay a $5 million ransom, to unlock its data and avoid a massive leak.


Ian Wood


Triple extortion, as you might imagine, involves the attackers finding a third pressure point for their victims. This might, for example, be by threatening to tell major customers or partners that the company has been breached, by threating to share details of the leak to the press, or by launching a DDoS attack to distract and overstretch the IT team.

The first widely published ransomware attack using triple extortion was in late 2020. Vastaamo, a healthcare company from Finland, was put under increased pressure following a ransomware attack as calls from patients flooded in to its support service and the police.

Ransomware can cause chaos on its own. However, when mixing this with a DDoS attack and a mob of frustrated customers, businesses see their ability to cope reduced significantly. Ultimately hackers want to push companies, who could potentially have avoided paying, into submission.


Five steps to fighting back

So, what can you do to protect your business? There are five key steps:

  1. Implement a comprehensive and robust data protection and recovery solution – encrypting data and locking it away from victims is the first thing that ransomware hackers will try to do.
  2. Encrypt your own data – exfiltration attacks only work if the hackers can read the information that they’ve stolen.
  3. Follow a zero trust methodology for data access – business can limit what data is locked, blocked or stolen by ensuring that people and applications only have access to the data they need.
  4. Monitor data in real time – businesses need to react rapidly to threats and stop them in their tracks, this requires immediate alerts when anomalies are detected.
  5. Understand your data – most ransomware attacks rely on the victim assuming that the attacker has hold of something valuable, yet only 15% of the data that businesses store is valuable to them. Knowing if the data that has been breached is worth paying for should be a key factor when deciding what to do.


Augmentation and Autonomy

The challenge of triple extortion is that it requires vigilance on three fronts and IT departments at financial services companies can end up feeling like the boy with his finger in the dyke. As more threats arise, they have to pull their finger out of one leak to use it to plug another and, soon, they’re overwhelmed.

As hackers increasingly try to break the IT team by stretching them too thinly, FSIs need to recognise that the solution to their problems can’t rely on people alone, since they aren’t infinitely scalable. Rather, their skills need to be augmented with technology that can harness AI and machine learning to autonomously fight back.

Rather than relying on their existing team alone to implement the five-step plan, organisations can empower their protection solutions to autonomously assist them in the process.

Triple extortion is another example of hackers moving the goalposts and hoping that they can score before their victims have noticed the change. Companies in the financial services space can outsmart their would-be attackers not by simply moving their defenders into new formations, but by flooding the pitch with bots that will assist them.

Explore more