Ransomware Evolved: Double Extortion

April 16, 2020


Picture this scene:  you arrive at the office one morning to find that cybercriminals have accessed your entire corporate network and encrypted all your files and databases, bringing the operations of your organization to a grinding halt. What should you do?  Restoring your systems and data from back-ups and getting back to something like business-as-usual could take days or even weeks.  You could pay the attacker’s ransom demand in hopes that they deliver the promised decryption keys, but the cybercriminals may not keep their word.  According to the FBI’s Internet Core Competency Certification (IC3) 2019 Internet Crime Report, over 2,000 organizations in the U.S. alone faced this problem after being hit by ransomware last year, costing millions in losses and remediation.

As If that wasn’t bad enough, cyber-criminals are starting to include a new tactic in the familiar ransomware playbook: double extortion.  In what has become a trend in Q1 2020, threat actors are adding an additional stage to their attacks. Prior to encrypting the victim’s databases, the attackers extract large quantities of sensitive commercial information, and threaten to publish it unless ransom demands are paid – putting added pressure on enterprises to meet the hackers’ demands.

Maze Ransomware – the pioneers

One of the first published double extortion cases involved Allied Universal, a large American security staffing company, in November 2019. When the victims refused to pay a ransom of 300 Bitcoins (approximately US$2.3 million), the attackers, who used the Maze ransomware, threatened to use sensitive information extracted from Allied Universal’s systems as well as stolen email and domain name certificates for a spam campaign impersonating Allied Universal. To prove their point, the attackers published a sample of the stolen files including contracts, medical records, encryption certificates and more. In a later post on a Russian hacking forum, the attackers included a link to what they claimed to be 10% of the stolen information as well as a new ransom demand that was 50% higher.

Fig 1: Maze group’s side of the story on a hacking forum (image by BleepingComputer)

TA2101, the group behind the Maze ransomware, has since created a dedicated web page which lists the identities of their non-cooperative victims and regularly publishes samples of the stolen data.

Fig 2: Maze web page listing compromised companies and data dumps

Maze has since published the details of dozens of companies, law firms, medical service providers and insurance companies who have not given in to their demands. It is estimated that many other companies avoided publication of their sensitive data by paying the ransom demanded.

Following the trend

Other cybercriminal groups have followed this new tactic, opening their own sites to publish and leak stolen information as a means to apply additional pressure on their victims to pay ransom. Attackers utilizing Sodinokibi ransomware (aka REvil) published details of their attacks on dozens of targets, as well as proprietary company information stolen from the targeted organizations. The National Eating Disorders Association was one of the last in the list of victim organizations, but has since been deleted from the REvil’s blog.


Fig 3: Revil group’s “Happy Blog” listing compromised companies and data dumps

At first, screenshots of the information only serve as a means to convince the victims to pay the ransom. If the payment is not made in time, the attackers follow through on their threat and make the confidential files available on the web for public download.

This puts targeted organizations in a double-jeopardy trap:  if they don’t give in to the attacker’s demands, the attackers will publish stolen data and the organization will have to report the breach to the relevant national or international data privacy watchdog – which could in turn levy a large fine on the organization.  Either way, the organization is likely to have to pay to move forward.  For example, on New Year’s Eve of 2020, REvil launched an attack on Travelex, downloading 5GB of sensitive customer data from its network, including dates of birth, credit card information and national insurance numbers. They gave Travelex two days to pay US$6 million, following which the ransom amount would be doubled, and threatened to sell the entire database if they did not receive any payment within a week. Travelex had to go offline for three weeks to recover from the attack.

Additional attacks that have joined the trend include Clop ransomware, Nemty, DopplelPaymer and more. Information published on these sites was soon found to be offered for sale by the ransomware group itself or by other criminals who collected the data from the dumpsites.

Hitting moving targets

This malicious combination has also extended beyond corporate networks to mobile devices. Recently, a malware attempting to take advantage of concerns around the coronavirus pandemic deceptively marketed itself as a fake coronavirus tracking application for Android devices, while actually encrypting user content and threatening to publicly leak the user’s social media material.

Fig 4: Mobile malware ransom note (image by DomainTools)

The Maze threat group also started to exploit coronavirus fears. However, following criticism for hitting a UK based medical firm, the group announced they would refrain from future attacks on medical organizations and offered discounts for anyone previously attacked. However, this did not stop them from continuing attacks on other organizations like the Chubb insurance company.

Fig 5: Maze Team’s press release regarding the coronavirus

Ransomware vs. data breaches

Traditional ransomware attacks, as vicious as they are, give victims the option to recover everything from backups. Victims are presented with a serious dilemma: surrender to criminal demands and pay ransom in hopes of receiving decryption keys and regaining access to their data, or struggle to restore systems from backups.

Often, the costs of self-recovery exceed ransom demands. As an example, the City of Baltimore refused to pay $80,000 ransom and as a result suffered costs of $18,000,000 in remediation, new hardware and loss of revenue. This has led to some insurance companies recommending that the victims just pay the ransom.

Other damages to organizations include downtime, share price depreciation, the technical cost of system and data recovery, ransom payment and more. Often, victims try to avoid any publication of the attack to minimize any possible damage to their reputation.

Data breaches, on the other hand, expose their victims to loss of proprietary information as well as hinders their ability to protect clients’ and employees’ personal information. Stolen data can be used for future attacks on those whose details were included in the breach. Regulatory laws like the European Union GDPR and security breach notification laws in the US mandate that victims of such attacks must disclose the details of the attack both to specific authorities and corporations and individuals to whom the information belongs. This includes the list of potential damage and additional costs needed for the protection of employees and customers from fraud and identity theft, as well as exposure to potential lawsuits.

New reality

This new and evolved attack wave blurs the line between traditional ransomware attacks and run-of-the-mill data breaches, and potential victims are in a bad spot. Until proven otherwise, they have to assume they are subject to a data breach while legally, they cannot avoid public disclosure of the incident. Resorting to backups clearly does not terminate the attack. Worse of all, there is the knowledge that paying the ransom does not guarantee that the attacker will not sell the information to third parties.

The uncertainty might lead to an opposite effect from what attackers want, which is payment, since companies are finding the option of ransom payment less attractive than ever before. After all, even after making payment, they must disclose details of the attack to authorities, suffer from critical damage to their reputation and share price and suffer serious costs to clients and employees.

How to protect yourself 

Check Point SandBlast Agent Endpoint Security Solution includes a powerful anti-ransomware protection. This capability defends organizations against sophisticated ransomware attacks that can bypass conventional network and endpoint solutions. Learn more about preventing ransomware and cyber extortion.



  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks