Which Data Do Ransomware Attackers Target for Double Extortion? (2024)

The tactic has proved very effective given it undermines ransomware recovery strategies for organizations who planned to rely on data backups remediation options in the case of a ransomware attack. With double extortion, the options for organizations become more limited.

According to Help Net Security, only one ransomware gang was using the tactic back in 2019, but the successful leverage play was quickly adopted by other ransomware operators within just a year. By the end of Q1 2021, researchers observed the percentage of ransomware attacks that included threats to publish exfiltrated data if a ransom demand was not paid had increased to 77% of all documented ransomware attacks.

Protected Health Information (PHI) includes medical records, diagnosis details, and patient medical insurance data. Attackers target this data category because they know that healthcare organizations need anytime access to medical information to render patient care on a timely basis. Hence why they changed their tactics during the COVID-19 pandemic to include exfiltration of this kind of data.

Per the Wall Street Journal, ransomware actors began deploying their malware payloads more quickly inside the networks of healthcare providers than in those of other organizations at the height of the pandemic. Many of those attacks didn’t even involve the exfiltration of stolen data, malicious actors simply bet on victims agreeing to pay so that they could get their data back as quickly as possible.

Birthdates, physical addresses, and Social Security Numbers (SSNs) are some of the most common sensitive personal details. By targeting this type of data, ransomware actors can monetize the information and sell it on the dark web as part of a full identity profile. Buyers can then use that information to conduct different types of identity theft or fraud. For instance, they can use that information to file a fake tax return in a victim’s name. They can also use it to apply for a mortgage or open a bank account while impersonating the victim.

Alternatively, ransomware actors can leverage that information to conduct triple extortion schemes. Cl0p was one of the first ransomware gangs that engaged in this tactic, as noted by Bleeping Computer.

In an attack detected in March 2021, for instance, those responsible for Cl0p had sent out emails to the customers of their target informing them that they had stolen their personal information and that they intended to publish that data. The attackers then instructed the customers to write to the target organization and urge it to “protect [their] privacy” by paying the ransom demand.

Consisting primarily of usernames and passwords, account credentials are important to ransomware actors. Attackers need those details to infect as much of a target’s network as possible. Indeed, in a previous blog on detecting complex ransomware operations (RansomOps™), we noted that the fourth stage of a typical ransomware attack involves malicious actors stealing credentials and to gain access to more of a targeted network.

The nefarious individuals ultimately use that access to move laterally across the network so that they can encrypt even more devices and thereby demand an even larger ransom amount.

Intellectual property includes new product releases and/or details that are integral to a victim’s line of business. As with the theft of sensitive personal details, ransomware actors can monetize a victim’s intellectual property on the dark web or hand it over to a state sponsor.

A competing organization can then purchase the information on the black market and use it to undermine the victim’s business objectives. Alternatively, a competing state government can use it to advance their own interests at the expense of the victim’s host country.