Organizations that fall prey to ransomware attacks are painfully aware that a hacking event is an experience that is neither simple nor brief. In fact, ransomware groups often base their profit strategy on sharing the wealth among other malicious actors; in effect going back to the same well again and again with a different pail each time. A recent hacking tendency quite literally doubles down on the concept of encryption attacks.

Double-encryption entails a two-pronged approach to layering data ransoms. Past versions of this incursion saw efforts from independent gangs intertwining, but there have been numerous incidents of a single group appropriating the binary scheme. The “shadow” duplicate can be used in various ways to strike fear into a victim, particularly when it is used to pull out the rug from under a hapless victim who’s convinced the battle is over after paying a hefty ransom. In another scenario, the ransom money may as well be a donation -- the unnerving decryption might not even exist. One group asserting their dominance over an organization by sending simultaneous encryption ransom notes seems to be the ultimate power play at the moment.

Switching up tactics limits the responding security teams to mere guesswork. Stated threats are one thing, but the actual process of encryption can vary to boot. This can be a straightforward two-step encryption/re-encryption with a pair of unique malwares in succession or a “side-by-side” blend of two ensconced ransomwares constituting a single encryption with two unlocks required. Double encryption is a natural progression of revenue-sharing hacking patterns. Clients can pick and choose preferred strains of malware by splitting the resources of two groups, making for a plethora of frightening combinations.

The prospect of following through with ransom payment is already dubious; victims know this is not a negotiation made in good faith. In a study by Help Net Security, 34% of organizations said that no data was returned upon remittance. Enough of them putting on a brave face and not balking under pressure could dampen the expectations hackers have for the double encryption strategy, but preemptive security measures are the true “key” to ditching decryption deals.

Part of the proactive approach is putting a budget aside for a security operations center (SOC). Data backup, infection detection, and notification technology are essential to the first line of defense. The SOC centralized digital security model can keep a business afloat amid a siege, but performs its prognostics best in conjunction with Endpoint Detection and Response (EDR) or its extended variation (XDR). Paying attention to behavioral indicators and keeping the focus on threat detection is crucial to averting a double-encryption ransomware disaster.