Ransomware actors are turning to double-extortion attacks to increase their likelihood of success, with ITPro identifying that payouts now average $1 million.

In the past, many companies relied on backups to get back to business quickly if they were attacked. Reliable, secure backups separate from the primary environment made it much more difficult for an attacker to access and encrypt them. That long-standing process no longer deters double-extortionware actors — instead, today’s attackers not only encrypt the data but also exfiltrate it.  

Even if an organization has good backups available, the threat of leaking the data (known as “name and shame”) motivates many companies to pay the ransom to protect customer data and other sensitive information.  

Why does double-extortion ransomware pose a threat to global businesses?

As they investigate a double-extortion ransomware attack in today’s environment, in-house or third-party incident responders must quickly ascertain the volume and types of exfiltrated data that now reside in the hands of the attackers.  

As part of a C-Suite level activity, business executives increasingly need to consider both regulatory requirements and notification processes related to the exfiltrated data. The C-Suite must also consider how this data loss will reflect on their company’s reputation, as well as begin preparing for potential public relations challenges.  

In raising the ante, many double-extortionware occurrences involve 48-hour-or-less response windows, and businesses may be forced to confront a series of critical decisions very quickly that include whether to:

• Pay a ransom
• Quickly facilitate payment, if needed
• Organizationally respond in a manner beyond simply making payment – because even when the ransom is paid, there is no assurance that the data will be returned by the ransomware attackers

It’s time to begin helping organizations protect themselves from double-extortion ransomware

Threat actors are constantly searching for and ready to use zero- and one-day vulnerabilities to compromise organizations around the world. Today, as described above, investigating the attack is critical, because organizations need to think about both recovery from the attack and how to manage risks by preparing for attacks.  

Here’s where rapid business decision-making can help global organizations face down double-extortionware threats today. This offers a two-fold value to global organizations by assuming every business will be affected by a Cloud or SaaS breach, with some even facing double-extortionware scenarios of the type described here. Organizations can prepare for an attack during “peacetime” with Mitiga's Incident Response and Readiness (IR²) solution. Rather than the traditional Incident Response model that is under-equipped to manage double-extortionware threats in tight 48-hour timelines, IR² helps customers prepare for an attack through proactive threat hunting, running drills and exercises, and having data recovery and incident response plans in place.  

Beyond the IR² subscription model, the Mitiga Ransomware Readiness solution optimizes readiness and resilience for cloud ransomware attacks, accelerating response and recovery.

As more stringent regulations have come into effect, data breach notification requirements have become more critical. Understanding, through investigation, what an attacker was able to accomplish in their environment as quickly as possible helps the C-suite quickly determine how to respond and manage attack-related risks, such as notifying the appropriate regulatory authorities, customers, and, sometimes, the public.

Mitiga’s Incident Readiness and Response solutions helps the C-Suite prepare themselves for an attack, make double-extortionware decisions quickly, and gain investigation insights as soon as possible.