Attackers are not only demanding ransom from organizations, but also threatening their customers, users and other third parties.

Cybercriminals who specialize in ransomware have already been using double extortion tactics in which they not only decrypt stolen data but also threaten to leak it publicly unless the ransom is paid. Now, some attackers have progressed to a triple extortion tactic with the intent of squeezing out even more money from their malicious activities. In a report published Wednesday, cyber threat intelligence provider Check Point Research describes how this latest tactic is playing out.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

Ransomware ramps up

The number of organizations affected by ransomware so far this year has more than doubled, compared with the same period in 2020, according to the report. Since April, Check Point researchers have observed an average of 1,000 organizations impacted by ransomware every week. For all of 2020, ransomware cost businesses worldwide around $20 billion, more than 75% higher than the amount in 2019.

The healthcare sector has been seeing the highest volume of ransomware with around 109 attacks per organization each week. Amid news of a ransomware attack against gas pipeline company Colonial Pipeline, the utilities sector has experienced 59 attacks per organization per week. Organizations in the insurance and legal sector have been affected by 34 such attacks each week.

Around the world, organizations in the Asia Pacific region have been victims of the highest number of ransomware attacks with 51 per week. On average, North American organizations have seen 29 attacks per week, while those in Europe and Latin America have each witnessed 14 attacks each week.

Triple extortion

The double extortion tactic has proven extremely popular and profitable among ransomware gangs. Last year, more than 1,000 companies found that their data had been leaked publicly after they refused to cave into the ransom demands. Over that time, the average ransom payment jumped by 171% to around $310,000.

But, a tactic that started toward the end of 2020 and has continued into 2021, is triple extortion, Check Point said. In this scenario, the criminals send ransom demands not only to the attacked organization but to any customers, users or other third parties that would be hurt by the leaked data.

In one incident from last October, 40,000-patient Finnish psychotherapy clinic Vastaamo was hit by a breach that led to the theft of patient data and a ransomware attack. As expected, the attackers demanded a healthy sum of ransom from the clinic. They also emailed the patients directly, demanding smaller sums of money or else they would leak their therapist session notes. Due to the breach and the financial damage, Vastaamo was forced to declare bankruptcy and ultimately shut down its business.

In another example from this past February, the REvil ransomware group announced that it was adding more tactics to its double extortion ploy, namely DDoS attacks and phone calls to the victim’s business partners and the media. Freely offered to affiliates as part of the group’s ransomware-as-a-service business, the DDoS attacks and voice-scrambled VoIP calls are designed to apply greater pressure on the company to cough up the ransom.

“Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly,” Check Point said in its report. “Whether further ransom is demanded from them or not, they are powerless in the face of such a threat and have a lot to lose should the incident take a wrong turn. Such victims are a natural target for extortion and might be on the ransomware groups’ radar from now on.”