Home News Double Whammy: Meet Ransomware 2.0

Double Whammy: Meet Ransomware 2.0

Ransomware operators are leveraging a combination of new techniques like double extortion to easily obtain access to corporate networks and demand high ransoms.


Ransomware operators and their ransomware attacks are becoming more rampant and successful than ever. Ransomware groups are always leveraging a combination of factors to easily obtain access to corporate networks and demand high ransom. With the rise of ransomware-as-a-service, cybercriminals are getting more involved in ransomware attacks.

According to a recent analysis from F-Secure, double extortion ransomware attacks increased drastically in 2020. Today, most of the ransomware operators are also stealing data from organizations and threatening to post it on the darknet with double extortion tactics.


In a double-extortion approach, ransomware operators initially steal data before encrypting it and demand ransom. Later, the attackers threaten victims by leaking the stolen data on the dark web for additional ransom.

F-Secure’s researchers stated they have found a new kind of extortion dubbed Ransomware 2.0 that has been growing significantly from 2019. The double extorsion technique involves threat actors stealing critical information from targeted organizations in addition to encrypting files. This means, along with demanding a ransom, attackers can threaten victims to expose the compromised data if an additional ransom is not paid.

Spread of Ransomware Families

Researchers observed over 15 different ransomware families using a double-extortion approach to target organizations. Besides, nearly 40% of ransomware families discovered last year utilized this Ransomware 2.0 method. The major active ransomware families using the double-extortion method include Ragnar Locker, Doppelpaymer, Clop, Conti, and ChaCha.

“The Maze ransomware group was the first to do this in late 2019. But by the end of 2020, this approach was being used by 15 different ransomware families,” F-Secure said.

 Key Findings

  • Attackers using Excel formulas – a default feature that cannot be blocked – to obfuscate malicious code tripled in the second half of 2020.
  • Outlook was the most popular brand spoofed in phishing emails, followed by Facebook Inc. and Office365.
  • Nearly three-quarters of domains used to host phishing pages were web hosting services.
  • Email accounted for over half of all malware infection attempts in 2020, making it the most common method of spreading malware in ransomware attacks.
  • Malware that automatically collects data and information from victims (infostealers) continues to be a threat; the two most prevalent malware families in the latter half of 2020 were both infostealers (Lokibot and Formbook).

“In recent years, the trend in ransomware attacks has been to move away from entirely automated attacks to more manual hands-on keyboard intrusions. Ransomware groups are also qualifying victims and looking to boost profits by ensuring maximum damage is done. These intrusions have significant commonalities in tooling and malware usage with other crimeware intrusions,” F-Secure added.

 Related Stories: