Double Encryption – A Pain in the Side of Your Ransomware Recovery Efforts

laptop and mouse with wires tangled around a padlock

Ransomware actors are intent on complicating the recovery process for victims so that they’ll be more inclined to pay. Double extortion is an example of this in action. Data backups can’t reverse data theft, after all. Ransomware actors can therefore use double extortion to create even more pressure for victims—even those with data backups—to pay the ransom. They can also leverage the technique to demand two ransoms, one for a decryption utility and the other for the deletion of the victim’s stolen data. 

Even so, double extortion isn’t the only tactic by which ransomware actors are attempting to complicate victims’ recovery efforts. Some attackers are using an even more recent tactic called “double encryption.” Let’s investigate how this practice works below. 

The Inner Workings of Double Encryption 

First covered by Emsisoft in May 2021, double encryption is where ransomware affiliates choose to encrypt a victim’s data using two different strains of ransomware. Instances of double encryption generally take on one of two forms. In attacks involving layered encryption, for instance, malicious actors encrypt a victim’s data using the first strain before encrypting all that same information with the second ransomware. By contrast, side-by-side encryption leverages two ransomware strains simultaneously to encrypt different systems and data.  

“The groups are constantly trying to work out which strategies are best, which net them the most money for the least amount of effort,” noted Emsisoft threat analyst Brett Callow, as quoted by Wired. “So, in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not actually decrypted at all.” 

Double encryption isn’t a theoretical tactic. On the contrary, Emsisoft noted that it’s seen instances of affiliates encrypting victims’ data using both REvil and Netwalker. The security firm also came across some cases where attackers used the MedusaLocker and GlobeImposter ransomware strains in tandem. 

The Impact of Double Encryption 

Double encryption injects another layer of encryption into a ransomware attack, as noted by Emsisoft, sometimes complicating organizations’ recovery efforts. This is especially prevalent in instances involving side-by-side encryption, for some malicious actors design their ransomware attacks to append encrypted files with the same extension. In scenarios where a victim decides to pay, they might need to apply the decryption utilities provided to them on a trial-and-error basis. 

Restoring from backups doesn’t require any more effort in an instance of double encryption than in a traditional ransomware attack, however. 

“Remediating from backups is a long complex process, but double encryption doesn’t complicate it further,” Callow says. “If you decide to rebuild from backups, you're starting fresh, so it doesn't matter how many times the old data has been encrypted.” 

The consequences of double encryption go beyond just complicating victims’ recovery efforts. As noted by Emsisoft, affiliates can use double encryption to increase their payouts by demanding ransom payments in connection with both ransomware strains. They can also leverage double encryption to compensate for instances where one ransomware strain doesn’t successfully deploy as well as to investigate which ransomware variant results in higher ransom payments—knowledge which they can use to stage future attack campaigns. 

How to Defend Against Ransomware Actors Using Double Encryption 

One of the best ways that organizations can shield themselves from instances of double encryption is to prevent a ransomware infection from occurring in the first place. One of the ways they can do that is by strengthening their email security posture. Towards that end, organizations can invest in an email security solution that’s capable of scanning their incoming email messages for campaign patterns and other threat indicators in real time, thus allowing legitimate correspondence to reach its intended destination. Organizations can also audit their networks, software, and their email environments for vulnerabilities to remediate any potential security issues.