Businesses and insurers will need to be more vigilant for triple extortion threats

As the threat of ransomware attacks continue to evolve, the tactics adopted by hackers to optimise their attacks and increase their profitability are becoming more sophisticated.

Increasingly, cyber hackers are tactically choosing to engage in ‘triple extortion’ as leverage in ransomware negotiations. Triple extortion is effectively a combination of ‘single extortion’ (data encryption) and ‘double extortion’ (data encryption and threat to release sensitive or personal data that has been exfiltrated). But in addition, the hackers will compromise the systems of the targeted organisation’s customers, users or other third parties while also sending ransom demands based on information obtained from the “primary” attack.

These “supply chain” triple extortion attacks are particularly effective against organisations which are gateway victims to others - for example managed service providers or businesses that host services or servers for other customers, although not exclusively. Recent reported cases where attackers used triple extortion in a ransomware attack include the attack which targeted RaceTrac Petroleum in April 2021, a company which operates a chain of gas stations in the United States, in which their customers received emails from the hackers threatening to release their data if RaceTrac Petroleum does not pay the ransom demanded. This same tactic was also adopted in the Vastaamo clinic attack in October 2020, involving a Finnish psychotherapy clinic, when attackers sent ransom demands to individual patients with the threat of publishing transcripts from therapy sessions online.

The use of this third tactic seeks to increase leverage in ransomware attacks. It is intended to place greater pressure on an organisation to pay a ransom demand as it faces the prospect of its commercial clients/customers being exposed and, additionally, liability from those commercial clients/customers being impacted.

Organisations and insurers should continue to scrutinise not only their IT security infrastructure and robust defences, but be aware of the nature of the data held of third parties and customers (eg email addresses) who can be contacted by threat actors, or whose systems can be accessed or compromised given its connection to the organisation.

View all our Insurance 2022 Predictions here