Pleins feux sur les menaces : Triple Extorsion Ransomware

This article was updated on July 25, 2025 with updated information

Ransomware has always been about extorting money from victims. But why get paid once when you could get paid three times? Not content with single extortion attacks, ransomware gangs have escalated to double and even triple extortion. 

Avec la marchandisation de la cybercriminalité, les adversaires ont considérablement accru les niveaux de sophistication de leurs opérations, et donc également les effets potentiellement dévastateurs d'une attaque par ransomware. 

Dans notre webinaire, Ransomware triple extorsion et vidages de fichiers Web sombres, Flare Directeur Marketing Eric Clay et CTO & Co-fondateur Mathieu Lavoie discussed trends in ransomware attacks including: 

• double/triple extortion
• différents types de rançongiciels
• methods for stealing sensitive data

and more. Check out the webinar, or keep reading for more insights into ransomware trends. 

How are Ransomware Groups Changing? 

Ransomware attacks began as a simple transaction — a cybercriminal would infect a device, encrypt the victim’s data, and demand a ransom. However, ransomware groups are constantly changing their tactiques, techniques et procédures (TTP). One alarming trend that we’ve seen recently is ransomware groups resorting to double and triple extortion tactics.

What is a triple extortion ransomware attack? 

In a triple extortion attack, a threat actor goes beyond simply encrypting a victim’s data. Instead they add layers of pressure to coerce victims into paying one or more ransoms. Attacks follow the following pattern: 

1. Attackers encrypt files and demand payment for a decryption key, rendering systems and data unusable, and interrupting businesses.
2. Having stolen sensitive data before encrypting it, the attackers then threaten to leak or sell the data if a ransom isn’t paid.
3. The third layer of extortion varies, although the goal is always the same: another paid ransom. The bad actors may threaten to: 

• Lancer des attaques DDoS
• Harass customers or other stakeholders
• Contact the media 
• Or they may simply demand more payments after a ransom is paid

Some of the more sophisticated ransomware groups are even moving away from encryption all together, choosing to focus on data exfiltration and ransom. This creates an additional opportunity for threat actors to monetize ransomware since, even if the ransom isn’t paid, actors are able to sell access to the data.

This doesn’t mean every ransomware group is abandoning encryption. Encryption still creates chaos and loss for companies. It is an effective method of creating pressure and causing operational impact that can lead to financial loss. Therefore, encryption is likely here to stay for many groups, and we will likely continue to see groups finding additional ways to gain leverage and force companies to pay. 

The Growing Impact of Infostealers on Ransomware Attacks

Ransomware and infostealers are increasingly interconnected in the modern cybercrime ecosystem. Infostealers, remote access Trojans (RATs) that infect computers, exfiltrating sensitive data and compiling it into journaux de voleur, which are distributed online. 

The ransomware economy runs on stealer logs, which include massive amounts of user data, such as credentials, session cookies and tokens, browser data, cryptocurrency wallets and more. Ransomware operators buy or harvest this information to launch their attacks — and they tend to look for stealer logs or variants that contain specific information, or target certain industries. 

Le Rapport d'enquête sur les violations de données Verizon 2025 (DBIR) states that 46% of stealer logs likely from personal devices contained corporate credentials. In addition, the median time between ransomware victim disclosure and detection of related stolen credentials is two days, which shows a strong indicator that ransomware operators leverage stealer malware. 

Take the example of Active Directory credentials. Active Directory (AD) is Microsoft’s directory service for Windows domain networks. Because AD validates user credentials and determines their access rights to network resources, it’s particularly dangerous for AD credentials to be compromised — attackers can potentially gain full control over an organization’s entire IT infrastructure. 

Unfortunately, AD credentials have found their way into stealer logs. In 2024, Flare discovered 569,892 stealer logs containing at least one AD access credential, compromising more than 13,000 unique organizations.

Certain infostealer families appear to target Active Directory Federated Services (ADFS) credentials. In 2024, Flare found that Lumma, StealC, and Redline accounted for 82.5% of all recorded logs with ADFS, although Risepro, Vidar, and Bradmax were also responsible for some of the ADFS logs. 

​​The commodification of ransomware groups

Ransomware groups are growing in sophistication and operating more like legitimate companies. For example, many groups employ: 

• A mission-oriented approache
• Recruitment practices to seek new hires
• Spécialisation
• Affiliate vetting and recruiting

For example, the Karakurt group, after operating privately for a year, published a recruitment post to attract new members. They pride themselves on their mission to hold companies accountable for existing vulnerabilities in their cybersecurity and for the negligence of their IT staff. These groups can be driven by both financial and political motives, often influenced by the shifting landscape of geopolitics, and they’re open about their reasoning — many groups release press-style Q&As explaining their missions and engage in other public relations or marketing. 

In general, there are two distinct types of specialization within such groups. Similar to a company with various departments, a group may have internal specialization. For instance, within a ransomware group, some members might excel in negotiating the ransom, while others primarily focus on developing malware. Another form of specialization involves individual groups having their own areas of expertise, akin to specialized agencies within a larger company. One group might concentrate on distributing ransomware, collaborating with another group that specializes in extortion.

Cette collaboration organisée et spécialisée entre les groupes peut conduire à des opérations plus complexes et évolutives par rapport aux acteurs de la menace individuels.

Recommandations concrètes pour se protéger contre les ransomwares

Ransomware is on the rise; according to Verizon’s latest Data Breach Investigation Report (DBIR), ransomware was present in 44% of breaches up from 32% the year before. However, there are préparation aux ransomwares steps you can take to protect your organization: 

• Détection: Ensure that users have MFA, and utilize endpoint detection & response (EDR) to detect any type of attack internally and externally.
• Surveillance tierce : Effectuez une évaluation avant de commencer une nouvelle relation avec une entreprise et surveillez également en permanence la posture de sécurité du tiers. 
• Surveillance du groupe de rançongiciel : Garder un œil sur les groupes de rançongiciels et toutes les listes de fichiers qui semblent pertinentes peut être utile pour découvrir plus tôt les risques éventuels au lieu d'attendre d'être averti par le tiers. Par exemple, nous avons vu le cas d'une entreprise qui surveillait des groupes de rançongiciels et qui savait trois semaines à l'avance que l'un de ses partenaires tiers avait été compromis par un rançongiciel avant de recevoir un avis de divulgation légale dudit partenaire. Cela peut donner plus de temps aux organisations concernées pour examiner les données qu'elles envoyaient au tiers piraté et commencer à remédier à la fuite de données. 
• Surveillez le dark web : Assurez-vous de surveiller les marchés et les forums du dark web à la recherche d'informations d'identification volées et d'autres menaces pertinentes susceptibles d'entraîner une violation. 

Monitor for External Threats with Flare 

The Flare threat intelligence solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. See what external threats are exposed for your organization by signing up for our essai gratuit. Check out ransomware risks across your supply chain avec une démo.