Ransomware Gangs Have a New Trick Up their Sleeves: Double-Encrypting Your Data

Article 46 Ransomware new trick Double Encrypted data

Ransomware that double-encrypts your data is an emerging trend among ransomware gangs looking to score big.

As we learn everywhere, ransomware gangs never fall short when it comes to finding new ways to extort businesses for profit. They are constantly adapting their TTPs (common techniques, tactics, and procedures) in order to bypass defense systems, capture the highest volume of valuable/sensitive data, and confound incident response and damage mitigation efforts.

The harm they cause to business and lives in the process doesn’t seem to be a consideration. Ransomware activity during the COVID-19 pandemic soared within the healthcare industry, for example. And, even in the past, paying the ransom in order to retrieve your data doesn’t guarantee they’ll keep their end of the bargain. Or, they might just attack again as soon as you’ve restored operations.

One of the latest tricks employed by ransomware gangs is to pressure businesses by threatening to expose their sensitive information (such as PPIs or IPs) on leak sites. Another behavior was to persist in the infiltrated system after a successful attack and actively monitor the incident response process.


With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.


Now, ransomware gangs have started to adopt a new insidious strategy to cause even more damage and, hopefully, double their payday.

How Ransomware Gangs Double-Encrypt Your Data

Double-encryption is not a new phenomenon in the cybersecurity field. However, in previous incidents, it was usually a result of two separate ransomware attacks that happen to occur simultaneously.

However, in a recent PSA by Emsisoft, it was revealed that their anti-ransomware software has recently detected dozens of cases of the same actor utilizing multiple ransomware on top of each other in a single attack.

In the cases uncovered so far, the specific ransomware identified was typically REvil alongside Netwalker and MedusaLocker alongside GlobeImposter.

If that’s not enough, attackers have also employed two different strategies in these two-pronged attacks:

  • Layering the two ransomware on top of each other by first encrypting with one ransomware and then re-encrypting the already encrypted files with the second ransomware.
  • Deploying the ransomware side-by-side by encrypting some files with one ransomware and other files with another one.

To the detriment of businesses and individuals, this approach brings a number of benefits for ransomware gangs:

Higher chance of successful deployment: The hope is that even if one ransomware gets caught by the antivirus or security software that the second one will slip through.

Frustrate recovery efforts: Simply put, it’s more difficult and time-consuming to recover files from two different types of encryption than one. The hope is to frustrate businesses into just paying the ransom so they can recover their data and operations sooner.

Increase the ransom amount: If a company already paid for the first decryption, then the gang can simply force them to pay for the second as well. Or, pay separate ransoms for both side-by-side encryptions. The ransomware gang are also hedging their bets so that they can get a payout for at least one of the two encryption methods.

Testing the ransomware’s effectiveness: Basically, attackers are setting up a cruel A/B testing scenario. This will help them tell which ransomware is more effective, easier to deploy, and harder to self-decrypt from.


Ransomware that double-encrypts your data might be a new trick up the sleeve of ransomware gangs, but it’s not the last. Attacks are getting more and more sophisticated by the day while high-profile cases prove the potential damage they can cause. To limit your exposure, you should ensure that you have both the necessary proactive ransomware defense as well as incidence response capability to respond to these attacks.




PSA: Threat actors now double encrypting data with multiple ransomware strains