Classic ransom are attacks ould usuall result in inoperabilit of the ictim’s IT network, halting and harming its business continuity, and typically also leading to åfnancial loss and reputational damage. E en if the attack is caught in time before it managed to spread to a signiåfcant number of endpoints, the åfrst step in remediating it would still typically be to shut down the IT systems to prevent further spread of the ransomware across the network and for performing the necessary steps to recover from the attack. A good c bersecurit practice is to keep an oäfine backup of the organi ation’s åfles, to enable an easier and faster reco er ithout ha ing to pa the ransom. Nonetheless, mitigating and reco ering from a ransom are attack can be a diãfcult and challenging task that requires time, resources and maybe even the expertise of data recovery and incident response specialists. Since the overall recommendation, as stated above, is not to pay the ransom, ransomware operators have been perfecting their TTPs to increase the chances of victims paying the ransom. This has led to the adoption of the “double extortion” tactic, encr pting the ictims’ åfles hile also stealing and e åfltrating their sensiti e data. Ho the threat e ol es After gaining an initial foothold in the network and spreading the ransomware across it, and before encr pting the åfles on the ictim’s net orks, the attackers åfrst e åfltrate the ictim’s data. When the ransom note is dropped on the ictim’s machines, it ill inform the ictim that in addition to encr pting their åfles, the attackers ha e also e åfltrated their data. The attackers ill threaten to publicl release the data in their dedicated Onion ebsites, hich are speciåfcall set up for this purpose, if the ransom is not paid by the given deadline. This tactic was adopted to convince victims to pay the ransom and avoid having their sensiti e data e posed to the public, hich could potentiall cause the organi ation even greater reputational damage compared to a classic ransomware attack. The leak of corporate data could e pose the aâfected compan ’s information, as ell as their clients and business partners information. This could e pose the organi ation to legal procedures or åfnes and sanctions b regulators for failing to protect their data, in addition to the potential åfnancial losses such an incident might cause. The publication of their information could also be further leveraged by other cybercriminals or even unethical business competitors. The e åfltration and leak of data can aâfect the a ransom are ictims respond to the attack, as keeping a backup of the åfles is simpl not enough an more. While it ill probabl allo the aâfected organi ation to reco er their åfles and return to operations, their sensiti e data ould still be out in the open, and that might aâfect their decision whether to pay the ransom. 7 | The Ransomware Landscape