A man wearing a burglar costume and a mask, stealing sensitive data from a computer.

Triple Extortion Ransomware Attacks

Triple extortion ransomware is becoming more sophisticated and widespread. In 2023, there has been a notable surge in ransomware attacks involving data theft and extortion, surpassing the total count for all of 2022. This trend is likely to continue in the future.

Ransomware has traditionally been associated with threat actors in the world of cybersecurity, who use encryption to shut down a company’s data, systems, and IT infrastructure.

However, these ransomware groups have improved their techniques in recent years. They now use ransomware as a dual-threat tool for extortion, as they not only encrypt the data, but also steal it. This strategy allows them to lock down businesses by restricting data access, and then use the threat of releasing or selling the stolen data if ransom demands are not met.

This shift has been extremely profitable for ransomware groups, who have capitalised on businesses’ willingness to pay to avoid critical data exposures. As a result, even the most robust backup and recovery solutions do not always prevent victims from paying out.

Inside the blog of the LockBit Ransomware Group
Inside the blog of the LockBit Ransomware Group (Flare)

Many groups now use the triple extortion tactic, which includes threatening individuals, targeting businesses connected to the victim, and even launching Distributed Denial of Service (DDoS) attacks on websites. The data exfiltration and data encryption parts of the strategy are boosted by these strategies.

Triple Extortion Techniques Ransomware Evolution

Ransomware groups do not operate independently. They usually maintain a network of contacts that help with the execution of assaults and the spread of ransomware. These associates may specialise in various aspects of the attack, such as initial access, data removal, or negotiation.

Triple extortion ransomware adds one additional layer to ransomware attacks. This variation builds on the double extortion strategy by keeping most of its techniques but adding a second pressure point to force victims to pay.

Cybercriminals have a range of customised techniques they may use in addition to data encryption (the first layer), the threat of data exposure (the second layer), and the third layer of data exposure.

The Triple Extortion Affiliate Strategies of the LockBit Ransomware Group
The Triple Extortion Affiliate Strategies of the LockBit Ransomware Group (Flare)

Ransomware groups are becoming increasingly aggressive. Situations like Karakurt’s actions have been documented, involving not only data extraction but also the targeting of individual staff members and even third parties.

The first case of triple extortion ransomware occurred in October 2020, targeting Vastaamo, a Finnish psychotherapy facility. Following the intrusion of the clinic’s network and data encryption, the cyber criminals issued ransom demands to the clinic’s patients. Unless the ransom was paid, these patients faced the threat of having their treatment session information revealed.

Initial Access Brokers (IABs) use dark web forums like Exploit and XSS to hack corporate IT infrastructure and then auction off compromised systems. The records stolen are crucial for ransomware gangs. These logs contain important credentials and can be acquired through dark web sources, enabling the circumvention of traditional network access methods.

Flare has discovered over 50,000 of these logs containing corporate passwords, some of which had live session cookies that could bypass multi-factor verification.

The CL0P ransomware group significantly profited from MOVEit’s 0-day vulnerability, inflicting significant financial loss and impacting a large number of victims.

While ransomware groups do employ 0-day exploits, it is worth noting that simpler attack techniques exist. Notably, dark web markets, discussion boards, and Telegram channels enable the potential selling of reported 0-day vulnerabilities.


Triple extortion ransomware employs a three-layer attack strategy that can inflict significant damage on your company. Instead of directly infiltrating your enterprise network to install ransomware, cybercriminals often seek access points through staff computers.

Therefore, strengthening endpoint security is essential. Ransomware groups devise methods to exploit vulnerabilities in outdated operating systems and software in order to gain access to devices.

Make sure all software and machines are up to date to increase security. Additionally, upgrading your PCs might improve hardware and software compatibility.

The most common causes of ransomware infestations, which may result in a triple extortion campaign, include falling prey to phishing scams, installing software from malicious websites, clicking on dubious URLs, and accessing infected files and USB devices.

It is important to ensure that your staff completes training in best cybersecurity practices if you want to mitigate this risk. It is vital to equip employees with the knowledge necessary to distinguish fake websites from legitimate ones, harmful email attachments from safe ones, and malicious URLs.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts