SHARED INTEL: The non-stop advance and diversification of ransomware extortion tactics

By Zac Amos

Cybercriminals are becoming more creative as cybersecurity analysts adapt quickly to new ransomware strategies.

Related: How training can mitigate targeted attacks

Ransomware has evolved from classic attacks to more innovative approaches to navigate reinforced security infrastructure.

Here’s how hackers crafting new ransomware extortion tactics to keep analysts on their toes:

Data exfiltration is no more. Most ransomware attacks follow a familiar formula — the hacker gets into a network, grabs data and takes it out to hold onto until the company pays. This storyline is flipped on its head if ransomware hackers decide to destroy information when companies don’t pay the ransom.

This increases the stakes, primarily if entities did not engage in proper backup protocols before the attack. This is known as data destruction. It makes scenarios worse if hackers remain in the network, and instead of taking any information out, they stay and destroy everything from within.

This method means hackers don’t need to create additional infrastructure to combat new security methods. Once they’re in, they can delete everything in the attack’s wake.

However, companies can teach employees proper backup techniques, and IT departments can institute rules for an ideal recovery time objective (RTO). That way, recovery will not exceed the max time before irreversible damage is done.


Double extortion is twice the ransom. Hackers continue to find more ways to make up for the rising costs of cybercriminal activity by making ransoms cost double. They do this by encrypting the stolen data and forcing victims to pay for a decryption key on top of the ransom fee.

There are ways to decrypt the data without paying this portion of the ransom, utilizing programs that perform actions like changing file extensions to manipulate them to a usable format.

There is even triple extortion. A therapy center in southwestern Finland was the first hit by this intense variation of the ransomware attack. The hacker added another layer of extortion by making the center pay, as well as the individual victims whose files the hacker had in possession.

Governments expect ransomware attacks to cost more than $265 billion by 2031, meaning every dollar invested now to prepare will not be wasted paying ransoms.

Physical intimidation for enhanced digital attacks. Imagine if a ransomware attack happened in a business and a physical ransom note appeared out of the printer among a stack of analytics reports.

What could have been isolated to management and the IT department to crowd control is now known among every employee, causing hysteria and potentially leaking the news to local reporters.

This is the aim of physical intimidation attacks with ransomware. It also causes victims to remain distracted, buying the hacker time to solidify their position in the attack. The more time they buy with physical distractions, the less time the victims have to consider how they will or won’t pay the ransom.

During this frenzy, hackers could initiate a ransom denial-of-service (DDoS) attack, adding more stressors to the already intense situation.

Every moment focused on reaching out to authorities or attempting to find freelance analysts when a company should have had a business continuity plan in place gives cybercriminals more opportunities to take advantage of more information.

Diversifying ransomware attacks. Analysts must take the time to educate themselves about new and upcoming risks. When a unique tactic appears, they cannot waste time lingering in surprise when they need to take action to stop the threat.

Investing in solid cybersecurity, crafting a business continuity plan and staying informed about current trends will save companies millions, if not billions, of dollars. Businesses and individuals can work collaboratively, sharing their experiences to broaden the scope of ransomware extortion tactics for everyone to prepare equally.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone