PSA: Threat actors now double encrypting data with multiple ransomware strains


Scenario: you’ve paid the ransom, obtained the decryption tool from the threat actor and used it to recover your files…..only to discover that some or all of them are still encrypted. This is precisely the situation that some companies are finding themselves in. 

We have recently observed a new trend of threat actors using multiple strains of ransomware to double-encrypt data, in order to further complicate the recovery process and increase their chances of a payout.  

In this blog post, we discuss how double encryption works, the possible motivations behind the tactic and the best way for impacted organizations to recover from a double encryption attack.  

The double extortion method referred to in this article occurs when a single threat actor chooses to deploy multiple strains of ransomware on the same network. It is important to note that this is not the same type of multi-ransomware attack we have seen in the past, in which one network is compromised by multiple threat actors, resulting in multiple ransomware variants being deployed on the same network in separate attacks.

How it works 

No longer content with double extortion, some affiliates are now choosing to double encrypt data: in other words, deploy more than one type of ransomware on the same network. For example, we have seen cases of affiliates encrypting data using both REvil and Netwalker, and other cases where MedusaLocker and GlobeImposter have been used in tandem.  In some cases, to prove that double encrypted files can be recovered when the demand is paid, affiliates have provided sample decrypted files via one group’s web portal when the encrypted files had been submitted to them via another group’s web portal. Obviously, the affiliates in these cases had a working relationship with both groups – something which is not at all uncommon and was previously discussed by Chainalysis. 

We have seen the double encryption strategy applied in two ways: 

Why threat actors use double encryption 

While we’re not mindreaders and so can’t say for sure why threat actors use double encryption, there are a few obvious explanations:  

Thwart recovery efforts 

Recovering from a regular ransomware attack is a costly, disruptive and time-consuming exercise. Threat actors may believe that adding another layer of encryption to the already complex recovery process may be the extra leverage needed to persuade victims to pay for decryption rather than restoring their systems on their own.  

Increased payout 

Double encryption potentially means double the payout. Threat actors are likely relying on victims not realizing that their data has been encrypted twice. In this scenario, victims would pay to remove the first layer of encryption only to discover that their files are locked behind a second layer of encryption that can only be removed with an additional ransom payment. 

Higher chance of successful deployment 

Threat actors may be using multiple strains of ransomware to increase their chances of a successful deployment. In the event that one ransomware variant fails to execute properly or is blocked by the target’s security tools, the other ransomware may still be able to launch.  

A/B testing 

It’s also possible that threat actors are using double encryption as a form of A/B testing to see which ransomware variant results in more ransom payouts. The results of such tests may determine which variant threat actors favor in future attacks.  

Double encryption makes recovery far more complex

Paying a ransom doesn’t get companies out of the woods. Even when armed with the threat actors’ tools, recovery is always challenging, and double encryption makes it even more challenging. A lot more challenging, in fact.

In cases of single encryption, there is a high risk of data corruption, either caused by the ransomware and/or by the threat actor’s decryptor. In the case of double encryption, that risk is, well, doubled.  Additionally, decryption is a time-intensive process. Threat actors’ tools typically don’t permit a folder to folders to be specified for decryption and instead slowly crawl the entire system. Consequently, when the tools crash – as happens frequently – or when a second layer of encryption is discovered, the decryption process needs to start over. Similarly, tools frequently require manual intervention, requiring each workstation to be attended during decryption and commands entered as and when needed. In short, incident responders find themselves needing to jump between one badly coded tool and another. And cases of double encryption double the problems.

Making recovery simpler and faster

As noted above, double encryption makes recovery even more challenging and, without the proper tools, will likely result in organizations experiencing significantly more downtime. 

To help victims of double encryption ransomware recover faster, Emsisoft provides a universal decryptor that has been specifically designed to handle ransomware incidents where multiple variants are involved. The universal decryptor can peel away multiple layers of encryption without the need for multiple attacker-provided decryptors, which are often implemented imperfectly and can sometimes corrupt data irrecoverably during the decryption process.  

The Ultimate Checklist on Ransomware Mitigation for MSPs

Free Download

The universal decryptor was built to resolve these issues and others: it’s safer than attacker-provided tools, scriptable, supports full reporting, avoids the need for encrypted files to be backed up and can reduce recovery times by up 70%. 



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next