Skip to main content
Any device on your network can be the entry point for a triple extortion attack.

As cybersecurity awareness improves, most people have become familiar with ransomware attacks, but in recent years, malicious actors have begun springing double and triple extortion attacks on their victims. These types of ransomware attacks aim to take maximum advantage of a victim’s stolen data, and malicious actors have become vicious as they hold a company’s data for ransom and then begin threatening patients, clients, and anyone else the stolen data gives them access to.  

Initial Ransomware Attack

The start of a triple extortion ransomware attack begins the same way any other ransomware attack would. Malicious actors will use phishing campaigns to try and steal company credentials or they may leverage vulnerabilities in a company’s network or devices to brute force their way in. Once inside, the hackers will deploy their ransomware of choice and begin encrypting data in order to demand their ransom. If a company has a strong cybersecurity plan in place to deal with this, such as using a backup to circumvent the ransomware, they must quickly fix the initial point of entry for the malicious actors, or they will keep trying to attack the network.  

Double Extortion Attacks

Once a company has fallen victim to a ransomware attack, even if they react quickly, the situation can go from bad to worse. In a double extortion attack, malicious actors will steal the information they encrypt and then threaten to leak or sell that information on the dark web. This means that if a company does not pay a second ransom, the client data, personally identifiable information (PII), intellectual property, and other stolen information will be sold to other hackers who will use it to come after the business for more attacks. In a double extortion attack, getting rid of the ransomware doesn’t always solve the problem because malicious actors will leverage any data they did steal.

Triple Extortion Attacks

When hackers know a company will pay the ransom, they will turn a double extortion attack into a triple extortion attack. After they have demanded money for both unencrypting the network and security from selling stolen data, malicious actors will demand a third ransom as they threaten to go after any clients or business partners whose data was in the initial ransomware attack. A triple extortion attack not only demands more money, but it directly threatens a business’ client relationships, making it difficult to recover. Additionally, hackers can demand this third ransom for a promise not to continue attacks on the first victim, if they found more exploitable vulnerabilities as a result of the initial attack.


Triple extortion attacks can devastate a business because malicious actors demand a ransom for each of the follow reasons: to unencrypt the network, to not sell the encrypted data, and to not go after the client’s they find in the stolen data. Most of the ransom demands are tied to a promise not to do further damage to a company, and it should come as no surprise that malicious actors will lie and sell stolen data after all three ransoms are paid. For this reason, we here at Robinett Consulting do not recommend paying ransoms. Instead, we encourage businesses to have a strong cybersecurity posture so that the bad guys never have a chance to get in!

Robinett Consulting

Author Robinett Consulting

At Robinett Consulting, we are your consultative partner who strives to grow your business and have technology truly enabling you. We aim to understand you and your business so that you do what you do best unhindered by your IT.

More posts by Robinett Consulting