Multi-Factor Extortion: The New Normal in Ransomware Tactics

Feb 21, 2024 | Cybercrime, Terms & Jargon

Or listen on:


Explore ransomware’s evolution from simple attacks to complex multi-factor extortion and learn key defense strategies.

In the digital age, the threat of ransomware looms larger than ever, presenting a complex challenge to individuals and organizations across the globe. In this episode, we present a comprehensive exploration of ransomware’s evolution, from its rudimentary beginnings to the sophisticated extortion schemes of today.

The increasing sophistication and rapidly growing array of tools and tactics that modern ransomware gangs employ requires a robust and comprehensive response. From basic cyber hygiene to insurance to data privacy, it all has a role to play in keeping your data safe.

The Anatomy of a Cyber Attack

Cyberattacks, especially ransomware, have become increasingly sophisticated, posing significant threats to businesses and individuals alike. And yet, they rely largely on the same basic process for breaching your defenses as they have for over 30 years. By understanding the sequence of steps involved in a cyberattack, you are better equipped to develop effective defense strategies.

  1. Target Identification and Reconnaissance

The initial phase involves attackers identifying a potential target and conducting reconnaissance. This step is critical for understanding the target’s vulnerabilities, including unpatched systems or potential entry points for phishing attempts.

  1. Gaining Initial Access

Following reconnaissance, attackers seek to gain initial access to the target’s system. This can be achieved through various means, such as exploiting vulnerabilities in public-facing systems or deceiving employees into granting access via phishing.

One significant shift in how ransomware gangs operate is that many now tend to outsource the first two steps, relying on specialists who find and sell vulnerabilities on the dark web.

  1. Privilege Escalation and Lateral Movement

Once inside the system, attackers aim to escalate their privileges to gain broader access. This involves moving laterally within the network to locate and control critical data and systems. Privilege escalation is key to executing a ransomware attack effectively.

For many attackers, this is the phase where they seek to establish persistence in the system. We talk often about the importance of gaining persistence for cyber criminals, as it is what allows them to remain in a system even after the discovery of their presence, and to execute subsequent attacks.

  1. Data Discovery

At this stage, attackers identify valuable data and may begin the process of exfiltration. Of critical importance for ransomware gangs, this stage involves identifying the most crucial data accessible to the attackers and preparing to place that data into the attacker’s control. This step sets the stage for the next phases of extortion and ransom demands.

The Motive Determines the Method

These four steps are the common threads in almost all significant cyber intrusions, including ransomware cyberattacks. From there, the next actions taken by any intruder generally depend on the intruder’s motive. For ransomware gangs, the motive is financial gain at any cost.

Single-Extortion: Traditional Ransomware

Traditional ransomware operates on a straightforward yet devastating principle: it encrypts the files on a victim’s computer or network, effectively locking the rightful owners out of their data. The attackers then demand a ransom, promising to provide the decryption key once payment is made.

Operational Stages of Traditional Ransomware

The operation of traditional ransomware unfolds in a series of calculated steps, following the four steps described earlier:

Encryption: Upon access, the ransomware is deployed to encrypt files, using strong encryption algorithms that render the data inaccessible without the corresponding decryption key. In traditional, single-extortion ransomware, this stage could be targeted, encrypting only specific types of files or those identified during discovery as critical or particularly valuable, or attempting to encrypt every single file in an entire network.

Ransomware was almost always written to begin encrypting during nights and weekends, and usually targeted active computers first (to pre-empt any security responses), but encrypting that much data took a lot of time. While those processes have gotten faster over time, so have the security systems designed to detect active encryption malware.

Ransom Demand: The final step involves presenting the victim with a ransom demand, typically through a message on the computer screen, detailing the payment instructions to recover the encrypted data.

The simplicity and direct impact of traditional ransomware made it an attractive tactic for cybercriminals, leading to widespread incidents with significant financial and operational repercussions for victims. Beyond the immediate financial cost of the ransom, victims faced potential long-term damages such as reputational harm and the irrevocable loss of critical data.

Double-Extortion: Elevating the Stakes in Cyber Extortion

In the ever-evolving arena of cyber threats, double extortion emerged as a sophisticated escalation of traditional ransomware attacks. This advanced strategy not only encrypts the victim’s data but also involves the exfiltration of sensitive information, thereby compounding the pressure on victims to comply with ransom demands.

Double extortion operates through a two-pronged approach:

  1. Encryption of Data: Like traditional ransomware, the first step involves the encryption of the victim’s files, rendering them inaccessible. The attackers then demand a ransom for the decryption key.
  1. Exfiltration and Threat of Data Release: Unlike traditional ransomware, double extortion adds a critical second layer by exfiltrating data from the victim’s network before encryption. The attackers are then able to use the exfiltrated data as leverage to secure payment if the encryption threat fails, or even to secure additional ransom from victims, based on the threat to release the stolen data publicly.

Operational Stages of Double Extortion

Double extortion utilizes largely the same operational procedure as traditional ransomware, but includes several key elements that set it apart:

Targeted Reconnaissance: Identifying valuable data and vulnerabilities within the target’s network, with an eye on data that not only causes the victim harm by being rendered inaccessible but also that may cause the victim harm by being published to the public.

Stealthy Exfiltration: Quietly removing copies of sensitive data before initiating the encryption phase. For exfiltrated data to be usable as a tool of extortion, it needs to be unencrypted and taken without the victim’s knowledge. That way, to leverage it for ransom, it can be presented back to the victim as an example of the data that will be published without payment. If the data is encrypted, or if the victim is already aware of what specific data has been taken, its value in extortion is considerably lower.

Layered Ransom Demands: Double extortion relies on a two-tiered extortion scheme. The victim is presented with the threats in a layered approach, first for the decryption of data and subsequently for the non-disclosure of exfiltrated information.

The introduction of data exfiltration into the ransomware equation significantly amplifies the potential impact of an attack. Victims are not only faced with the immediate operational disruption caused by data encryption but also the long-term reputational and financial damages associated with the release of sensitive information. This can include confidential corporate data, customer information, intellectual property, and more.

Triple and Quadruple Extortion: Getting Out of Hand Fast

As cybercriminals continue to refine their strategies, the evolution from double to triple and quadruple extortion represents a significant escalation in tactics. These advanced schemes compound the pressures on victims by introducing additional layers of extortion, each with its own set of demands and threats. Drawing insights from the “Fearless Paranoia” podcast, this post explores the intricacies of triple and quadruple extortion, highlighting the key differences between these sophisticated cyber threats.

Triple Extortion: Pressuring Third-Party Victims

Triple extortion builds upon the double extortion model by adding a third element to the attackers’ strategy. In addition to encrypting the victim’s data and threatening to release exfiltrated information, triple extortion involves:

Engaging Third Parties: Attackers identify the individuals or organizations whose data they have exfiltrated from the original victim, then encourage those individuals or organizations to put pressure on the original victim to pay the demanded ransom. These threats may be communicated directly to the individuals or organizations identified or may be made publicly. These types of threats can amplify reputational damage and regulatory repercussions, exerting additional pressure on the victim to comply with ransom demands.

One unique approach taken recently by a ransomware gang was to directly notify the SEC that the gang had breached and stolen data from a company under the SEC’s jurisdiction, but who had not informed the SEC of the breach, as they were legally required to do.

Exploitation of Stolen Data: Beyond mere public disclosure, this phase may involve direct threats to use or sell the stolen data in a manner that could further harm the victim, such as by enabling identity theft or competitive disadvantage. When the threat of exploitation of stolen data is leveraged exclusively to encourage payment by the victim, it is triple extortion. However, if a ransomware group elects to exploit stolen data independent of the payment of ransom by the original victim, it becomes…

Quadruple Extortion: A Four-Pronged Attack

Quadruple extortion adds a fourth dimension to the extortion process, further complicating the threat landscape. This approach may involve:

Direct Extortion of Affected Individuals: In cases where personal or valuable commercial data is exfiltrated, attackers may directly contact the owners of the data and demand a separate ransom from those affected individuals in exchange for not releasing or misusing their information.

Attacks on Operational Capacity: Some quadruple extortion schemes threaten or enact additional cyberattacks, such as DDoS (Distributed Denial of Service) attacks, to disrupt the victim’s operations further, creating an urgent imperative to resolve the situation. These attacks are usually conducted using either the original vulnerability that allowed the cyber intrusion in the first place, or uses additional vulnerabilities identified by the intruders.

Differences Between Triple and Quadruple Extortion

The primary distinction between triple and quadruple extortion lies in the nature and scope of the additional pressures applied by the attackers. While triple extortion introduces the involvement of third parties to provide additional leverage against the original victim, quadruple extortion expands the extortion to individual targets and threatens or executes secondary cyberattacks, broadening the spectrum of threats faced by the victim.

Defending Against Multi-Factor Extortion

As ransomware tactics become increasingly sophisticated, understanding the nuances of triple and quadruple extortion schemes is crucial for organizations aiming to protect themselves against these evolving cyber threats. We explore three different prongs in the defense: basic cyber hygiene, cyber liability insurance, and data minimization.

  1. Cybersecurity Hygiene

One of the most important defenses against ransomware attacks just happens to be the best way to protect against pretty much all types of cyber incidents: foundational cybersecurity practices.

Regular Updates and Patch Management

Cyber attackers frequently exploit known vulnerabilities to gain unauthorized access to systems. By ensuring that all software components are up to date with the latest patches, organizations can limit these vulnerabilities and significantly reduce the risk of ransomware infections.

Comprehensive Backup Strategies

Regular, secure backups of critical data, ideally stored offsite or in the cloud, can provide a safety net in the event of a ransomware attack. This practice ensures that, even if data is encrypted by ransomware, organizations can restore their information from backups without paying a ransom to the attackers.

Be aware, however, that ransomware gangs have adapted their practices to seek out regular backups as part of their discovery, so make sure that some are kept offline or rely on segregated uploading.

Employee Education and Awareness Training

Educating staff members about the risks of phishing emails, malicious attachments, and other common tactics used by cybercriminals can empower them to identify and avoid potential threats. Regular training sessions, coupled with simulated phishing exercises, can enhance an organization’s human firewall against cyber threats, provided everyone pays attention.

Implementation of Access Controls and the Principle of Least Privilege

By ensuring that employees have access only to the data and resources necessary for their specific roles, organizations can limit the potential damage that can be done in the event of a ransomware attack. This approach minimizes the opportunities for attackers to move laterally within the network and access sensitive information.

These preventative measures, when consistently applied, provide significant protection against the disruptive and often devastating impact of ransomware attacks.

  1. Cyber Liability Insurance

Cyber liability insurance is a crucial component of a multifaceted approach to cybersecurity, providing a financial safety net that complements technical and procedural defenses.

The Benefits of Cyber Liability Insurance

We covered this topic in depth in a previous episode, but this is a quick refresher on the specific benefits that an effective cyber liability insurance policy can provide in the event of a ransomware attack:

Ransom Payments: In the event of a ransomware attack, cyber liability insurance can cover ransom payments, alleviating the immediate financial strain and providing a pathway to recover critical data.

Recovery and Restoration Costs: Insurance plays a pivotal role in covering the costs related to a ransomware attack. These costs include forensic investigations, IT repair and restoration services, and data recovery efforts.

Mitigating Reputational Damage: Cyber liability insurance helps limit reputational damage in two ways – 1) by helping accelerate the response and recovery, the company incurs less damage to its reputation, and 2) funding for PR resources will help manage the news of the cyberattack and ensure compliance with data breach notification laws.

Potential Drawbacks of Cyber Liability Insurance

There is one interesting caveat to the above, and it only comes into play when the ransomware gang finds out that you have cyber liability insurance. Whether they learn about it by stealing documents that reveal the nature and limits of the policy, or whether the information is otherwise publicly available, the existence of your policy might actually increase your chances of being targeted or increase the ransom demanded, all because the attackers know you’re insured.

It’s still not enough, in my opinion, to weigh against the benefits of having insurance, but it’s worth being aware of!

  1. Data Minimization

In an era where data breaches and cyber threats are rampant, data minimization is a crucial practice for enhancing organizational resilience. Reducing the volume of data collected and retained inherently limits the potential impact of a cyberattack – there’s no ransom someone can demand to return something you don’t have. More specifically, employing robust privacy practices including data minimization is an essential component of your defense against ransomware.

Reducing the Attack Surface

Data minimization directly reduces an organization’s attack surface. By limiting the amount of data stored and processed, organizations decrease the volume of valuable information that could potentially be encrypted or exfiltrated during a ransomware attack. This practice not only makes you a less attractive target to cybercriminals but also limits the potential damage and disruption that an attack could cause.

Minimizing Potential Ransom Leverage

By adopting a data minimization approach, organizations can significantly reduce the amount of sensitive or critical data at risk. Less data = less risk. More importantly, less data means less leverage and less incentive for businesses to pay any ransom. Therefore, there is less financial benefit for the attackers.

Enhancing Compliance and Trust

Data minimization is both a strategic defense against ransomware and necessary for compliance with privacy regulations like GDPR and CCPA. Data minimization can bolster an organization’s compliance posture while defending against ransomware threats. Moreover, this approach enhances consumer trust by demonstrating a commitment to privacy and data security.


As ransomware continues to evolve, adopting a multi-pronged defense approach is not just advisable; it is imperative. The evolution of ransomware underscores the need for continuous vigilance, proactive defense measures, and an overarching commitment to cybersecurity best practices. In the battle against ransomware, knowledge is power. Use it wisely.


We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.

We aim…

to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.

Contact Us

©2024 Fearless Paranoia