I believe there’s a pretty clear consensus within the industry that ransomware should not be mistaken anymore to limit itself to just encrypting files and demanding payment for a decryption key. Dubbed by F-Secure “Ransomware 2.0”, now the standard practice for ransomware groups includes also stealing files from the target company in order to increase the leverage for ransom. Proper backups are an antidote to encrypted files but won’t help against the threat of stolen data being leaked.

Although this double extortion scheme has been the new modus operandi only since late 2019, cyber criminals are already looking for additional ways to apply pressure to their victims. This is where Ransomware 3.0 comes in.

Triple extortion is the next unfortunate, but logical step in this process. However, the exact mechanism of the third layer of ransomware threat isn’t settled yet. Here are few snippets where we can read about Ransomware 3.0 in action.


Prominent attacks that have taken place at the end of 2020 and the beginning of 2021 point at a new attack chain – essentially an expansion to the double extortion ransomware technique, integrating an additional, unique threat to the process – and we call this Triple Extortion. The first notable case is the Vastaamo clinic attack, which happened in October 2020. Innovative at the time, the 40,000-patient Finnish psychotherapy clinic suffered a yearlong breach that culminated in extensive patient data theft and a ransomware attack. A decent ransom was demanded from the healthcare provider, but surprisingly, smaller sums were also demanded from the patients, who had received the ransom demands individually by email. In those emails, the attackers threatened to publish their therapist session notes. This was the first attack of its kind within the ransomware attacks landscape.

On a wider scale, in February 2021 the REvil ransomware group announced that they had added two stages to their double extortion scheme – DDoS attacks and phone calls to the victim’s business partners and the media.

Security Magazine:

To make matters worse, we now see an added complication to ransomware – a triple extortion threat – exemplified by ransomware group Avaddon. Not only does your data get encrypted and exfiltrated, but if you do not respond to the original threat for payment or the threat of a data leak, attackers may then launch a DDoS attack against your services as a way to bring you back to the negotiation table.

InfoSec Handlers Diary Blog:

The ransomware attacker not only leaked private health information after a ransom payment was category denied. In addition, other miscreants, or the original attackers themselves, are now using this leaked data.

Apparently, individuals in Ireland are receiving calls claiming to come from the Irish Health Service, asking for banking information. The caller is using leaked data (personal information like birthday and address, but also the date and type of recent medical procedures) to authenticate themselves. The victim is then asked for banking information for a “refund”.

So, to answer the headline’s question, we could summarize:

  • Ransomware 3.0 could refer to the (emerging trend of) third stage of an extortion scheme
    • First stage is file encryption
    • Second stage is data theft and the threat of making that data publicly available
  • The third stage’s method isn’t (at least yet) one specific threat, but what has been used so far
    • DDoS attacks
    • Leveraging stolen data (from second stage) to do additional attacks toward original target organization’s customers
    • Either by targeted phishing
    • Or by simply ransoming them too (like happened with Vastaamo case, albeit in rather small scale)
    • Scrambled VOIP calls to target organization’s business partners or journalists (presumably to inform them about the ransomware attack, potentially causing business and PR harm)

Time will tell what the distinctive threat pattern will be that Ransomware 3.0 eventually brings along to the scene. On the other hand, it could very well be that this becomes (an another) differentiating factor for threat actors, especially those who offer ransomware-as-a-service. Let’s keep an eye on this. If you have any further examples of triple extortion schemes, please leave a comment down below or hit me up on Twitter.

(Featured image is made combining graphics from F-Secure’s Attack Landscape Update H1 2021 and “Highlord’s Vengeful Charger” from Warcraft Mounts.)

4 thoughts on “What is Ransomware 3.0?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.