Why We Expect More Multi-Level Extortion (And What to Do About It)

Written by

You’ve likely seen articles on double, triple or even quadruple extortion. My colleagues and I predicted that we would see more “multi-level” extortion in 2022. Read on as I explain our reasons, why it matters to small to mid-sized enterprises and what IT and security stakeholders can do about it.

As a refresher, multi-level extortion (MLE) is a tactic used by threat actors to force victims to succumb to demands. It usually happens after the initial extortion attempt involved in a ransomware attack. It typically involves an escalating level of intimidation tactics (e.g., threatening to DDoS the victim organization if they don’t pay) and/or a different target level like the organization’s leadership team, IT/security team or other employees that could sway the organization to pay. It may extend beyond the organization to its partners or customers.

Why Do We Expect an Increase in MLE?

There are two main reasons:

  1. Skilled ransomware actors: Attackers have become highly skilled at landing ransomware. They are familiar with victims’ environments, know how to circumnavigate defenses (through tactics like living off the land) and have increased their dwell-time long enough that they can spread throughout a network before releasing a ransomware payload. The “area for improvement” for them is getting victim organizations to actually pay them – contrary to directives to victims from security companies or law enforcement like the FBI.  The technical elements of a ransomware attack are near-optimal – the focus on MLE is just about getting “more juice from the same squeeze.”
  2. Changing legislation, enforcement and individual reporting: With new proposed legislation around the disclosure of ransomware payments within 48 hours, companies that might once have considered paying may no longer be as likely to. The same proposal suggests the SEC would issue noncompliance penalties and facilitate a way for individuals to report ransom payments directly. Noncompliance penalties for cybersecurity carry significantly more weight since 2019 when enforcement of the False Claims Act in a cybersecurity context brought about some heavy fines. With victims’ situations changing in ways that could make them less likely to pay, we believe ransomware actors will increase MLE to rebalance the scales.

Why Does It Matter?

Let’s assume for the moment that most organizations have exceptional detection and response capabilities, an effective DLP solution, a rigorous and well-practiced incident response (IR) plan and a resilient disaster recovery (DR) strategy in place, in case those efforts fail (... a tall order, I know). It seems unlikely such an organization would pay the ransom, right? Now, let’s assume that individual employees, corporate partners or customers are being threatened if the organization doesn’t pay. Or the attackers assert (truthfully or otherwise) that they already have sensitive data and will release it publicly unless the victim organization pays up… is payment starting to sound more likely? Or, more importantly – how many of such well-defended companies have planned for MLE specifically?

You can see that the problem starts to extend beyond the cybersecurity realm, that it might not be a scenario that has been practiced and that hackers would be foolish not to take means to encourage payment, having invested so much time in “the hard part.” This is why organizations should prepare for MLE attempts.

How to Prepare for Multi-Level Extortion

  • Provide guidance to potential targets: Potential victims need directives for dealing with extortion attempts. Things like not engaging or negotiating with hackers, recording information about the attempt and (how and when) to sound the alarm. Ensure the guidance is centrally available and cover it in your security awareness training, too.
  • Make an extortion-specific plan, and document it: Plan how your organization will deal with MLE, whether it’s just a page in your IR plan or a full-on extortion playbook. Address varying scenarios, like what to do if the employee’s personal device is targeted (but has corporate information on it) or if a partner is advocating you pay.
  • Practice, practice, practice! The most well-founded, well-intentioned plans are useless if you fail to execute them when the time comes. Table-top exercises, fire drills and practicing in a way that closely resembles the real threat are all critical to ensuring a coherent, consistent response.

While I hope you found this article interesting, what I really truly hope is that you take action!

If you’re looking to add an extortion playbook to your IR plan, we have resources that can help you. Or, for more on what’s to come, check out 2022 Cybersecurity Predictions & 2021 Year in Review.

Finally, if you aren’t as far along in developing an IR plan, we have a guide that can help you there too.

Brought to you by

What’s hot on Infosecurity Magazine?