Instances of ransomware have exploded in the past five years. In 2020 alone, it is estimated that the total cost to Canadian organizations in paid ransoms and lost productivity was US$4 billion. In our recent post Ransomware: Avoidance and Response, we discussed steps organizations can take to be prepared for a ransomware attack. In addition, cybercriminals are continually evolving their methods looking to maximize their payout. In this companion piece, we look at some recent developments in ransomware that organizations will want to be aware of to help them manage risk associated with ransomware attacks.
Multiple Layers of Extortion
Cybercriminals are increasingly applying multiple layers of extortion to their attacks, meaning they can seek to extort a ransom payment more than once in relation to the same attack. Here are a few examples:
- Double-encryption—In “double-encryption” attacks, cybercriminals double-encrypt data. Once an organization pays a ransom and receives an encryption key, it finds that their data remains locked behind a second layer of encryption that allows the criminal to demand an additional ransom.
- Double-dipping—In “double-dipping” attacks, an organization is not only blocked from accessing their data, but all of some of its data is also stolen or “exfiltrated” by the cybercriminal. Like double-encryption, double-dipping allows cybercriminals to make two ransom payment demands: one to unencrypt the data and another in exchange for a promise not to use or sell the stolen data. Research indicates that nearly half of all ransomware cases in the third quarter of 2020 included the threat of releasing stolen data.
- Triple-extortion—There have also been reports of threat actors employing a triple-extortion strategy. With triple-extortion, the threat actor executes a double-dipping attack but additionally sends ransom demands to any third parties who could be harmed by the disclosure or use of the stolen data (e.g. customers or affiliates of the attacked organization). Triple extortion attacks have the potential to cause even greater business, reputational and financial harm to a company.
Targeting the C-Suite
Some cybercriminals individually target executives in ransomware attacks, hoping that by targeting high level employees they will gain access to commercially or personally sensitive information and can command high ransom payments. Continual advancements in artificial intelligence may make it easier for cybercriminals to identify individual targets and compile personal information that they can then exploit to carry out the attack.
Not Just “Data” Companies
It is often perceived that cyberattacks target only companies seen as being in the “business of data”. However, all companies have data in their systems and rely on computer networks to operate their businesses. Threat actors have begun to target these “non-data” businesses too. The recent attack on JBS, the biggest meat packing company in the world, is one of many examples of a cyberattack against a non-data company. Industries as varied as construction, utilities, retail, real estate, hospitality, and healthcare are also targets of ransomware attacks.
An Uncertain Future?
In June 2021, the United States Department of Justice seized a portion of the ransom payment made to the cybercriminals responsible for the Colonial Pipeline ransomware attack.  The United States has also signalled its intention to treat ransomware attacks as a top national security priority. It is possible that governments will begin to take steps that will limit or prohibit a company’s ability to pay ransoms following a cyberattack in order to deal with a security breach.
These recent trends reinforce the importance of investing in cybersecurity protections to help avoid attacks, and in data recovery plans that provide for the various iterations an attack could take to mitigate their severity if they do occur. The option of paying a ransom to help deal with a breach may become less feasible or available over time.
Cybersecurity Blog Series and Related Insights:
- Emerging Developments in Ransomware
- Getting Cyber Insurance Right: 5 Practical Tips
- Ransomware: avoidance and response
- Reducing Risk and Fostering Breach Resilience via Privacy by Design
- Preparedness and response planning best practices
- Landmark ruling: The Superior Court dismisses a class action over the loss of personal information in Lamoureux v. OCRCVM, 2021 QCCS 1093
- Protecting Legal Privilege in a Data Breach Response
- IIROC Publishes Notice Regarding Ransomware Attacks
By Katherine Booth, Kelsey Franks and RJ Reid
This article is part of our Cybersecurity Blog Series, which is intended to provide readers with a 360° view on cybersecurity. To view other blog posts in the series, please visit Cybersecurity Blog Series from McCarthy Tétrault’s Cyber/Data Group
 Check Point Software Technologies Ltd. “Cyber Security Report 2021” (2021), Check Point Research.
 CyberCube, “Understanding Ransomware Trends: Ransomware Attack Methods Alter as Threat Actors Grow in Sophistication” (2020), p 7.
 Fabiana Bastista, Michael Hirtzer and Mike Dorning, “All of JBS’s U.S. Beef Plants Were Forced Shut by Cyberattack” (31 May 2021), Bloomberg, online: https://www.bloomberg.com/news/articles/2021-05-31/meat-is-latest-cyber-victim-as-hackers-hit-top-supplier-jbs
- Should directors consider creditors’ interests when a corporation is near insolvency? - November 21, 2022
- Domestic violence: Obligations and responsibilities of employers in Quebec - October 26, 2022
- An evolving digital privacy landscape—Comparing the federal Bill C-27’s CPPA to Quebec’s Bill 64 - October 24, 2022