Classic ransomware attacks would usually result in inoperability of the victim’s IT network, halting and harming its business continuity, and typically also leading to financial loss and reputational damage. Even if the attack is caught in time before it managed to spread to a significant number of endpoints, the first step in remediating it would still typically be to shut down the IT systems to prevent further spread of the ransomware across the network and for performing the necessary steps to recover from the attack. A good cybersecurity practice is to keep an offline backup of the organization’s files, to enable an easier and faster recovery without having to pay the ransom. Nonetheless, mitigating and recovering from a ransomware attack can be a difficult and challenging task that requires time, resources and maybe even the expertise of data recovery and incident response specialists. Since the overall recommendation, as stated above, is not to pay the ransom, ransomware operators have been perfecting their TTPs to increase the chances of victims paying the ransom. This has led to the adoption of the “double extortion” tactic, encrypting the victims’ files while also stealing and exfiltrating their sensitive data. How the threat evolves After gaining an initial foothold in the network and spreading the ransomware across it, and before encrypting the files on the victim’s networks, the attackers first exfiltrate the victim’s data. When the ransom note is dropped on the victim’s machines, it will inform the victim that in addition to encrypting their files, the attackers have also exfiltrated their data. The attackers will threaten to publicly release the data in their dedicated Onion websites, which are specifically set up for this purpose, if the ransom is not paid by the given deadline. This tactic was adopted to convince victims to pay the ransom and avoid having their sensitive data exposed to the public, which could potentially cause the organization even greater reputational damage compared to a classic ransomware attack. The leak of corporate data could expose the affected company’s information, as well as their clients and business partners information. This could expose the organization to legal procedures or fines and sanctions by regulators for failing to protect their data, in addition to the potential financial losses such an incident might cause. The publication of their information could also be further leveraged by other cybercriminals or even unethical business competitors. The exfiltration and leak of data can affect the way ransomware victims respond to the attack, as keeping a backup of the files is simply not enough anymore. While it will probably allow the affected organization to recover their files and return to operations, their sensitive data would still be out in the open, and that might affect their decision whether to pay the ransom. 7 | The Ransomware Landscape