Quadruple extortion ransomware is maximising the monetisation of the cyberattack, according to new reports from Entelgy Innotec Security.

Quadruple extortion ransomware is yet another technique with which cybercriminals seek to make as much profit as possible. 

Quadruple extortion is based on a period of aggressive harassment of company-related actors, after the company has previously been subjected to other damage. 

Entelgy Innotec Security explains the phases of the ransomware extortion cycle and provides advice on how to try to prevent it.

Ransomware has become one of the most dominant attack methods. During 2022 alone, Entelgy Innotec Security analysed more than 7,000 cases of malware (including ransomware, Trojans, spyware.

The company's experts point to ransomware, phishing and DDoS attacks as the main cyberthreats of the moment. All of them increase their effectiveness with specialisation, sophistication and demand for cybercrime for hire ('as a service'). In addition, it is estimated that more than half of the companies that are attacked by ransomware agree to extortion. But how far can ransomware extortion go? The answer lies in quadruple extortion, which is already a reality.

"Quadruple extortion is a technique used in ransomware cyberattacks whose objective is to maximise the monetisation capacity expected by the threat actor responsible for the campaign," says Raquel Puebla, cyber intelligence analyst at Entelgy Innotec Security. 

"With this new level of extortion, the aim is to ensure that the affected entity pays the ransom demanded by the attackers for the cyberattack, which is the ultimate goal of today's ransomware actors.

"Therefore, it is not understood as a cyberattack in itself, but as an additional layer to ransomware cyberattacks," adds the expert. It is called quadruple extortion or fourth extortion stage because it usually takes place after three other stages that usually accompany these cyberattacks.

The phases of the extortion cycle of a ransomware cyberattack at present are as follows:

1. Data encryption phase: in most cases this involves a risk to the availability of the affected organisation's systems. In this case, the extortion consists of forcing the organisations to demand payment of the ransom so that they can regain access to the encrypted information.

2. Information leakage threat phase: in this phase the attackers raise the level of extortion by threatening to publicly leak the information previously obtained during the compromise and encryption process, which in many cases results in the exposure of sensitive data or information that can entail all kinds of sanctions for the affected entity. This is known as double extortion.

3. Denial of Service (DDoS) campaign phase: which prevents users from accessing the affected organisation's resources, substantially increasing its losses by causing service unavailability. This model has come to be known as triple extortion and its use is very common in online commerce organisations. It prevents the achievement of sales.

4. Aggressive harassment phase: cybercriminals contact customers, employees and business partners of the affected organisation, as well as the media, to inform them that sensitive or confidential information associated with them has been compromised, for which they will first try to obtain data associated with users linked to the company from among the stolen information.

"With this model, called quadruple extortion, the attackers intend that agents related to the organisation are the ones who promote that the entity agrees to pay extortion to remove the data breach that affects them," says Puebla.

The layers of extortion described above work together to increase the losses of the organisation affected by the cyberattack, pressuring and wearing it down until it considers that the payment demanded by the cybercriminals is less costly than remedying the impact through the corresponding legal incident response channel. This is why cybercriminals are constantly trying to devise new extortion models to persuade their victims to make the demanded payment.

Early detection

There are several ways to prevent this type of cyber-attack and avoid irreversible damage. Here are some tips:

The detection of anomalous requests or connections from unknown or non-geolocated IP addresses in the employee's country or region of work are indications of suspicious activity, so it is highly recommended that all organisations establish monitoring activities on access to accounts, email addresses and corporate profiles.

In addition, grammatical and spelling errors in e-mail messages that arrive in the user's mailbox, their origin from an unknown sender, and the inclusion of links to external websites or attachments can also be warning signs.

In the case of attachments, it may be advisable to scan them in anti-malware software before opening them, for example, and, if in doubt, it is always advisable not to open them.

Other more obvious signs that could be observed at a later stage of the cyberattack could include unexpected changes in permissions, the appearance of blockages when accessing certain resources and even the appearance of a ransom note.