Ransomware Gangs Continue To Execute Triple Extortion Attacks

Hanna Mathai

By Peter Adel, Regional Sales Manager, NETSCOUT

8 min to read
Ransomware Gangs Continue To Execute Triple Extortion Attacks

Like any smart entrepreneur, threat actors know that their business is only as successful as their latest innovation. And when it comes to parting unsecured organizations from their money, those innovations never stop.

The latest involves integrating attacks into a ransomware-as-a-service (RaaS) portfolio to create the so-called triple cyber extortion attack. It’s a little bit ransom, a little bit DDoS extortion, and a lot of trouble. Here’s how it works:

File encryption

With the traditional ransomware attack method, cybercriminals breach a network and encrypt valuable data, making it (and sometimes the entire system) unavailable to the victim organization. The attackers then demand payment in return for a decryption key.

Data theft

Here, cybercriminals exfiltrate the data before locking the victim out. They then threaten to expose and/or sell the stolen data publicly unless paid. This second level of extortion makes it harder for victims to ignore ransomware threats, because even those who can use backups to restore data remain at risk of data exposure.

DDoS attacks

Commonly used as a standalone extortion method, DDoS attacks now are on the list of services RaaS operators offer. This further ratchets up the pressure on the victim in a couple of ways: First, it emphasizes the seriousness of the adversary. And second, maintaining availability also adds another stressor to a security team already dealing with the first two events.

By combining file encryption, data theft, and DDoS attacks, cybercriminals have essentially hit a ransomware trifecta designed to increase the possibility of payment. According to NETSCOUT’s latest Threat Intelligence Reports, in 2021 cyberattackers launched three worldwide, distributed denial of service (DDoS) extortion attack campaigns – a startling new achievement carried out by a REvil copycat, Lazarus Bear Armada (LBA) and Fancy Lazarus. From the threat actor’s perspective, adding DDoS attacks to a list of ransomware services is a smart business move. DDoS attacks are incredibly cheap and easy to launch, and they might increase the chance that a victim will pay. What’s not to like? After all, this is a very lucrative business, and bad actors are constantly adding new weapons to their multi-faceted attack campaigns.

The good news is that stopping DDoS extortion attacks can be done with the right preparation in place. That is for volumetric attacks (larger than your Internet circuit) you need a cloud-based DDoS attack protection service such as one from your ISP or NETSCOUT Arbor Cloud. For smaller attacks, more specifically those that target application servers (e.g., web, DNS, mail, servers) or stateful infrastructure (e.g., firewalls, load balancers or VPN concentrators) the best approach is an on-premises, stateless DDoS solution such as NETSCOUT Arbor Edge Defense, that fronts this infrastructure. The combination of cloud-based and on-premises protection offers the industry best practice in DDoS defense.

But how do you stop the other two facets of cyber extortion (e.g., data theft and ransomware encryption)?The answer is to look for early signs of reconnaissance, IoCs, lateral movement or data exfiltration that precede the dropping of ransomware as well as data breach and exfiltration.

This requires comprehensive network visibility into north-south and east-west traffic. NETSCOUT’s Omnis Cyber Intelligence (OCI) is such a solution. OCI is a network-based cybersecurity solution that integrates with and fills the gaps left by other cybersecurity tools- namely Network Detection and Response (NDR) tools.

OCI and CyberStream sensors support all types of network environments (e.g., legacy, virtual, private, public cloud), speeds (up to 100 Gbps), and hundreds of protocols and applications. This enables security teams to gain comprehensive network visibility across their entire digital infrastructure – a fundamental requirement for effective cybersecurity because you can’t protect yourself from what you can’t see.

Omnis Cyber Intelligence provides security teams with an unmatched, continuous, robust source of packets and layer 3-7 metadata that are used for more effective and comprehensive network visibility, real-time cyber threat detection, as well as rapid and highly contextual investigation.

The Four Main Use Cases for Omnis Cyber Investigator are:
Early Warning System

OCI is continuously monitoring packet-derived metadata looking for reconnaissance, IoCs or anomalous traffic and application behaviour that are signs of a future attack (e.g., a ransomware attack).

Continuous Attack Surface Monitoring

OCI has visibility into all network and traffic (e.g., east/west and north/ south traffic). Leveraging NETSCOUT’s patented ASI technology OCI can reconstruct the network attack surface within seconds of any change and detect vulnerabilities that may pose a threat (e.g., looking for anomalous network activity that indicates a network or data breach).

Contact Tracing

Since OCI knows all network communication inside and outside an organization’s network, it uses this intelligence to detect or investigate short-term lateral movement and stop the attacker before a data breach or ransomware attack occurs.

Back-in-Time Investigation

Detecting and investigating long dwell time attacks (e.g. more than 6 months) is difficult. OCI can conduct a retrospective analysis of NETSCOUT’s ASI-derived Smart Data with high fidelity and context, looking for evidence of a network or data breach that may have occurred months or even a year ago.

Upon detection of such threats with Omnis Cyber Intelligence, the information gathered can be used to configure blocking devices on the network edges such as firewalls, or even better Arbor Edge Defense to stop the proliferation of attacker inside the environment before the data breach or ransomware attack occurs.

The threat of triple extortion is real. You can rely upon NETSCOUT Arbor Edge Defense and Omnis Cyber Intelligence solutions to stop it before it’s too late.

For more information, get in touch with your Help AG account managers, and we can have a detailed discussion.

Bridging network and security operations requirements.

Optimized Vulnerability Scanning Scheduling Assures Server Environment Performance.


This financial services leader successfully processes millions of business transactions every day, which has helped make the company a household name. This company is a long-time NETSCOUT customer, years ago standardizing on nGeniusONE as their service assurance platform of choice. The company had widely deployed InfiniStreamNG (ISNG) smart data sources and nGenius Packet Flow Switches (PFS) to provide service edge visibility across their network, with additional service assurance operations guidance provided by their contracted NETSCOUT Premium Support Services (PSS) engineering resources.


Given the nature of this company’s business, regular Security Operations (SecOps) scanning to assure the environment was free of vulnerabilities was understandably an area of intense focus. The work-from-home (WFH) business era has seen exponential increases in cyberthreat attacks for all global companies, and the SecOps team wanted to take additional measures to safeguard the company’s server environment. In this case, SecOps wanted to increase the vulnerability scanning cadence to include weekday scheduling, during non-peak hours, in addition to its standard weekend processes. Traditionally, SecOps scanning had been coordinated to run on weekends using their industry-leading vulnerability reporting tool. This practice allowed vulnerability scanning to be conducted when network traffic volumes were lower, and bandwidth was readily available to accommodate the workloads that Network Operations (NetOps) believed were required for this SecOps testing.

Adding vulnerability scans during off-hours Monday through Friday would simply offer more opportunities for SecOps to assure the security of their server environment. With more than 1,000 host servers operating across their environment, receiving executive endorsement of this modified testing plan was a major SecOps priority. For their NetOps colleagues, however, there was concern any weekday testing would impair performance of regular, daily business workloads by introducing additional network traffic that would be traveling across the network and through firewalls. Since this is truly a global business, “off-hours” in one geography are still “business hours” in another.

As a result, when SecOps appealed to IT leadership to reconcile this issue, there was an identified need for network traffic modelling, analysis, and reporting that would provide the evidence necessary to assure NetOps that this modified testing schedule would not unnecessarily consume bandwidth or impact application responsiveness. In response, IT leadership agreed to a one- month trial of this modified vulnerability scanning approach to determine whether additional SecOps server testing cycles would hinder network performance.

The company has reliably used nGeniusONE analytics and ISNG appliances for smart visibility to assure business performance across its enterprise environment, so approaching their long-time NETSCOUT PSS Engineer to assist them during this month- long trial was a logical extension of a strong track record in troubleshooting other service delivery issues.

By using the NETSCOUT production environment, the PSS Engineer collaborated with IT Operations to visualize vulnerability scanning traffic, with real-time nGeniusONE service dashboard and monitor views into client/server performance that showed associated bandwidth consumption. In doing so, IT Operations and PSS took advantage of NETSCOUT smart visibility views across several service edges, including data center (which included firewalls, load balancers, and service enablers, as well as the host server environment) and network edges.

Using NETSCOUT smart data (generated in real-time by ISNG smart visibility sources monitoring application packets from the company’s network traffic), nGeniusONE contextual views factored the multi-tier infrastructure, including MIB2 interfaces and firewall environments.

This nGeniusONE performance snapshot enabled IT Operations to visualize how applications and servers at two key data centers handled the vulnerability scanning workload during a 10.00 PM to 05.00 AM schedule being used as a trial for modelling the vulnerability scanning’s performance impact. Through analysis and trend reporting conducted over the course of the month, as well as real-time monitoring occurring on a daily basis, IT Operations could view traffic impacts as scanning tests started and when network consumption peaked.

This vendor-neutral analysis with nGeniusONE throughout their enterprise showed what SecOps had hoped – there was no major associated network load with vulnerability scanning during weekday “off hours.”


The company’s earlier investments in NETSCOUT technology and consultative PSS Engineering resources enabled the collective IT Operations teams to benefit from informed decision-making about how increased vulnerability scanning practices would impact network operations – thus, the additional weeknight scans for its server network provided enhanced assurance that the business service and data center operations environment was running with integrity and better protected from cyberthreats. For more information about NETSCOUT network performance management solutions, please visit the website or get in touch with your account manager.

Share this article

Upcoming event

Black Hat MEA 2024

  • KSA
  • Riyadh