Ransomware So Nice It Encrypts Your Data Twice

Ransomware groups have taken things a step further. Now, once a victim pays a ransom and then goes back to their PC, they can easily hit them again. They are also stealing the data now instead of just encrypting it. That way they can threaten the victim with a leak if they don’t pay again. Now, it is even worse. Ransomware hackers are now double-encrypting their victim’s data.

Double-encryption attacks are not exactly new, and those situations usually came about when two separate ransomware groups attacked the same victim. But now, Emsisoft, which is an anti-virus company, says that it is aware of several dozen incidents in which the same hacker group intentionally layered two types of ransomware on the target.

The groups are constantly trying to work out which strategies are best, which net them the most money for the least amount of effort. So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not actually decrypted at all.

Brett Callow – Emsisoft Threat Analyst

When this happens, some victims get two ransom notes at the same time. So, the hackers definitely want the ‘user’ to know about the double-encryption attack. There are other other cases, however, where victims only see one ransom note and have to find out about the second layer of encryption the hard way.

Even in a standard single-encryption ransomware case, recovery is often an absolute nightmare. But we are seeing this double-encryption tactic often enough that we feel it’s something organizations should be aware of when considering their response.

Callow