Intro
Cybercriminals use ransomware to encrypt target data in a manner that can be decrypted by only the attackers, thereby holding the data hostage, the release of which requiring payment. It’s a form of extortion and here we review, as of this writing, ransomware’s extortion levels.

Ransomware’s Three (Current) Levels
“Single Extortion”
The intro section explained “first extortion”, whereby the extortionist encrypts the data, thus rendering it inaccessible to and unusable by its owner or trustee. Historically this is how ransomware began and continues: data deprivation, whether it’s valuable information (e.g., legal case files, medical records, financial information, trade secrets, etc.), files necessary to operate a particular system or service, or any conceivable type or combination.

“Double Extortion”
Cyber extortionists also threaten to publish the unencrypted data, known as “double extortion”. Criminal syndicates are sophisticated and understand entities may have unreachable, backed-up copies of their data thus effectively nullifying single extortion. Double extortion is therefore an “insurance policy” for the perpetrators: even if the affected entity may recover from last night’s backup, the extortionists possess copies of the original data, ranging from a handful to terabytes or more, and again nearly always of value. This puts pressure on the entity to pay and pay quickly.

“Triple Extortion”
Most recently, a third level of extortion has been reported whereby, in addition to single and double, the criminals also threaten denial of service (“DOS”). For the layperson, “DOS-ing” a system means “taking it down”, certainly an incentive to expeditiously comply with payment instructions.

Next Levels?
The section contains speculation and therefore offered only for consideration, but, regardless, attempting anticipation is wise, especially since it’s unlikely the levels of extortion described previously were not the product of anticipatory planning.

Increased Efficiency
A notable trait of ransomware is the inherent and rapid rise in sophistication and organization. Thus it may follow that ransomware will rely more on double and, disturbingly, triple extortion where a single keystroke may effectively destroy operations. Granted, incident response may react immediately, but ransomware increasingly provides tighter payment deadlines–likely a tactic hindering even mature incident response to adequately asses and analyze, let alone recover and prepare, and thus compliance may be the only rational recourse.¹

Expanded Availability
Ransomware is within reach of virtually anyone and no longer reserved to only those with resources to plan, build, and execute. It’s available “as a service” (known as “RaaS”, or “Ransom(ware) as a Service”) and a more efficient model for extortionists while also evidencing organized racketeering, evasion and cover, and more time for originators to focus on tactics, techniques, and procedures (“TTPs” in cyber-speak).

Thus as cyber extortion becomes more within reach, essentially commodity-based, the frequency of incidents will increase and the types and sizes of affected entities will commensurately vary. A large payout by ransoming Colonial Pipeline in May 2021 made headlines, but how many smaller incidents will occur? How many already have occurred?

“Multi-purposing”
Since any of the three extortion levels invariably disrupts operations, and especially when ransomware is available for hire, it could be leveraged to ostensibly demand payment as its objective, thus posing as a ransom attack, but in actuality only to appropriate valuable information, hinder or collapse operations, or both and more–a ruse. Succinctly, and to use a time-tested adage, “crime follows value”–data’s inherent value to affected entities and ransomware’s probative value to perpetrators.

Final Thoughts
There is and will remain no universal means to prevent all forms of malware, including ransomware, only degrees of mitigation eventually varying by entity-specifics, and all defenses have shelf lives. Additionally, “method A” may be quite different than “method B” (ad infinitum) as ransomware’s frequency increases thereby inviting panacean measures that may actually worsen status quo.

We instead continually reinforce basics, introduced with Consumer Steps to Mitigate Ransomware, followed up with this piece, and soon will review basic “kill chain” concepts. Only understanding and practicing fundamentals, much like competitive sport, provides the requisite foundation for playbook-specifics.