fbpx Skip to content

Triple Extortion Schemes Give Cyber Criminals More Power and Leverage

5 minute read

The riskiest thing many businesses do is maintain the status quo. The cybercrime community appears to take that to heart as they continue to renew and upgrade previously retired malware and launch new and more damaging versions of their malicious software. The greater the creativity, the more money they can generate from unsuspecting individuals and businesses. Unfortunately, cybercriminals are very innovative and imaginative, so MSPs and other security professionals need to work even harder to keep ahead of the latest schemes and attack methodologies.

That job gets tougher as ransomware purveyors find new ways to up their game and outfox unsuspecting and inattentive prey. The latest schemes – including triple extortion attacks − illustrate the lengths cybercriminals will go to terrorize end-users and maximize their ROI on malware development or purchases. Not satisfied with the penetration rate of traditional ransomware, they are doubling down on their successes, further victimizing end-users and businesses reeling after the initial event.

One key reason malware developers are going to that effort is they have a substantial financial stake in expanding the size and depth of the attack vectors. Much like MSPs’ desire to add incremental recurring revenue to fuel cash flow and grow their market and wallet shares, cybercriminals often rely on subscription sales of their code to ensure steady income increases. Adding new features to their “offerings” and schemes keeps demand high and malware developers profitable.

And those margins are surely high already. According to the 2022 Palo Alto Unit 42 Ransomware Threat Report, the average ransom request was approximately $300,000 in 2020, which nearly doubled to $541,000 in 2021. While the actual payments can cost less than the initial demands, malware victims are handing over a lot more cryptocurrency today. Those numbers will continue escalating with the introduction of new and more powerful attack schemes.

Cybercriminals Triple Down on the Threats

In 2019, with companies and the tech industry thwarting many ransomware strikes, negatively impacting their revenue growth, the cybercriminal community developed a solution to generate more income from each successful attack. Double extortion schemes copy all the data in the infected systems before encrypting the network and then threaten to publish or sell the information if the company (or individual) refuses to pay. That “cache” may include credit card numbers, protected health information, or proprietary information that the cybercriminals attempt to sell on the black market.

Malware developers were not content with the financial outcomes of employing those malicious methodologies and added a new twist with triple extortion. In these attacks, cybercriminals attempt to ransom the target company and its customers and other organizations in its ecosystems (and databases). MSPs are certainly not the only people looking to grow wallet share today.

Imagine the impact of a triple extortion attack on a medical practice or hospital? The amount of personal information in one of those systems could put a ransomware purveyor’s kids through law school. Those types of situations could put an attorney or accountant out of business, considering how much damage a data compromise could inflict on their clients and reputation. Even though ransom demands are typically smaller for the secondary victims (the patient or customers), the embarrassment and potential financial ramifications of having sensitive information leaked to the general public would be difficult for any company to overcome.

One of the first publicized examples of a triple extortion ruse was the 2020 Vastaamo breach. The company manages twenty-five psychotherapy centers across Finland and works directly with the country’s public health services. In addition to demanding a significant bitcoin payment from the provider, cybercriminals also sent similar requests to thousands of the organization’s patients, threatening to share their session files and recordings if the ransom wasn’t received.

Data Protection Goes Beyond Technology Solutions

The Vastaamo triple extortion case highlights the value of data an MSPs’ clients may possess. With access to sensitive information, cybercriminals gain great power and leverage and can make a lot of demands. An MSP’s job is to protect all data, including personal and confidential files, and prevent malware purveyors from scoring the big wins. Triple extortion is most effective when cybercriminals know they have companies over a barrel and have the leverage to dictate lucrative terms for the return of that information.

With the rise of the REvil community and its ransomware-as-a-service business model, things may worsen before they get better. According to Check Point, that group is leveraging DDoS attacks in their schemes and offering to make phone calls to victims’ business partners and the media. Even if their MSP can restore their networks and systems using data backups, they can’t prevent cybercriminals who make their own copies from publicly publishing or selling that information.

The truth is that no IT services company can assure its clients of 100% protection from these types of threats. For those unforeseeable situations, businesses need the appropriate level of cyber insurance coverage. These policies aim to help affected companies regain their financial footing and pay for the restoration services needed to rebuild their operations, integrity, and momentum.

While MSPs address the technical aspects of rebuilding systems and networks, a client’s cyber insurer should have their back, helping provide the resources needed to get businesses back on their feet. From proactive insurance assessments and MSP-supportive recommendations to post-incident handholding, a reputable broker can help IT providers and their clients. Those are the types of services DataStream Insurance provides. We can determine if your clients are insurable and help get them protection from the latest attacks, like triple extortion…and whatever threats may come next.


Small-to-medium businesses that do not offer IT consulting services to assist in managing the technology and security of other businesses.


IT Consultant businesses (MSP, MSSP, etc.) that manage the technology and security of other businesses.