cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

The inner workings of ransomware double extortion

A unique aspect of the recent Pain Points: Ransomware Data Disclosure Trends report clarified not just what ransomware actors choose to disclose, but who discloses what, and how the ransomware landscape has changed over the past two years, Paul Prudhomme at Rapid7 explains.

user iconPaul Prudhomme
Tue, 09 Aug 2022
The inner workings of ransomware double extortion
expand image

First, we should tell you that our research centred around the concept of double extortion. Unlike traditional ransomware attacks, where bad actors take over a victim's network and hold the data hostage for ransom, double extortion takes it a step further and extorts the victim for more money with the threat (and, in some cases, execution) of the release of sensitive data. In doing so, not only do victims experience ransomware attack, but they also experience a data breach, and the additional risk of that data becoming publicly available if they do not pay.

According to our research, there have been a handful of major players in the double extortion field starting in April 2020, when our data begins, and February 2022. Double extortion itself was, in many ways, pioneered by the Maze ransomware group, so it should not surprise anyone that we will focus on them first.

The rise and fall of Maze and the splintering of ransomware double extortion


Maze's influence on the current state of ransomware should not be understated. Prior to the group's pioneering of double extortion, many ransomware actors intended to sell the data they encrypted to other criminal entities. Maze, however, popularised another revenue stream for these bad actors, leaning on the victims themselves for more money. Using coercive pressure, Maze did an end run around one of the most important safeguards organisations can take against ransomware: having safely secured and regularly updated backups of their important data.

Throughout most of 2020, Maze was the leader of the double extortion tactic among ransomware groups, accounting for 30 per cent of the 94 reported cases of double extortion between April and December 2020. This is even more remarkable given the fact that Maze itself was shut down in November 2020.

Other top ransomware groups also accounted for large percentages of data disclosures. For instance, in that same year, REvil/Sodinokibi accounted for 19 per cent, Conti for 14 per cent, and NetWalker 12 per cent. To give some indication of just how big Maze's influence was and offer explanation for what happened after they were shut down, Maze and REvil/Sodinokibi accounted for nearly half of all double extortion attacks that year.

However, once Maze was out of the way, double extortion still continued, just with far more players taking smaller pieces of the pie. Conti and REvil/Sodinokibi were still major players in 2021, but their combined market share barely ticked up, making up just 35 per cent of the market even without Maze dominating the space. Conti accounted for 19 per cent, and REvil/Sodinokibi dropped to 16 per cent.

But other smaller players saw increases in 2021. CL0P's market share rose to 9 per cent, making it the third most active group. Darkside and RansomEXX both went from 2 per cent in 2020 to 6 per cent in 2021. There were 16 other groups who came onto the scene, but none of them took more than 5 per cent market share. Essentially, with Maze out of the way, the ransomware market splintered with even the big groups from the year before being unable to step in and fill Maze's shoes.

What they steal depends on who they are

Even ransomware groups have their own preferred types of data to steal, release, and hold hostage. REvil/Sodinokibi focused heavily on releasing customer and patient data (present in 55 per cent of their disclosures), finance and accounting data (present in 55 per cent of their disclosures), employee personal identity information (PII) and HR data (present in 52 per cent of their disclosures), and sales and marketing data (present in 48 per cent of their disclosures).

CL0P, on the other hand, was far more focused on employee PII and HR data with that type of information present in 70 per cent of their disclosures, more than double any other type of data. Conti overwhelmingly focused on finance and accounting data (present in 81 per cent of their disclosures) whereas customer and patient data was just 42 per cent and employee PII and HR data at just 27 per cent.

Ultimately, these organisations have their own unique interests in the type of data they choose to steal and release during the double extortion layer of their ransomware attacks. They can act as calling cards for the different groups that help illuminate the inner workings of the ransomware ecosystem.

Paul Prudhomme is head of Threat Intelligence Advisory at Rapid7.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.