Multifaceted Extortion—Definition and Solutions

Multifaceted extortion was one of the standout topics in the latest M-Trends 2021 report. This threat combines traditional ransomware and other extortion tactics to coerce victims to comply with hefty demands. The nature of multifaceted extortion means that standard basic disaster recovery procedures used during a ransomware attack are no longer an adequate recovery strategy.


Attackers are innovating

The first known ransomware was documented in 1989. The ransomware hid directories and encrypted file names on a victim’s computer. Users had to pay $189 to regain access to their files. Since then, attackers have matured their technology and tradecraft to demand sums up to $50M. Today, ransomware spreads quickly through environments and encrypts entire drives, crippling business operations.

Financially motivated threat actors such as FIN11 employ ransomware-as-a-service to carry out their attacks. They outsource code development eliminating the need to maintain that expertise themselves. To maintain anonymity, attackers now demand payment in cryptocurrencies such as bitcoin, making it increasingly difficult to track and locate them.


The move to multifaceted extortion

Threat actors have realized they can demand higher ransoms by targeting larger organizations and applying additional coercion techniques. Tactics that support multifaceted extortion include:

Impaired File Availability

Ransomware typically encrypts a target organization’s sensitive files, making them unavailable to legitimate users. This can be combatted with best practices and disaster recovery planning.

Threats to Publish Data

Theft of sensitive data is followed by threats to publish the data if the payment demands are not met. This form of extortion is more consequential because data breaches often carry more serious business consequences than service disruptions. According to the M-Trends 2021 report, “A data breach can result in greater reputational damage, regulatory fines, class action lawsuits, and derailed digital transformation initiatives. These consequences were not typically seen with ransomware before 2019.”


Attackers will post parts of the stolen data on name-and-shame websites to prove they possess the stolen data. The attackers then engage with media organizations to inflict brand damage, further coercing victims into paying a ransom. Some attackers have even notified business partners of data theft, creating friction in third-party relationships and prompting breach disclosures.

How to protect your organization

Organizations should prioritize and take action to mitigate the risk of ransomware incidents. Based on experience with ransomware attacks through incident response engagements in 2020, Mandiant experts have observed several commonalities:

  • Large numbers of highly privileged accounts in Active Directory
  • Highly privileged non-computer accounts configured with service principal names (SPNs)
  • Security controls not configured to minimize the exposure and usage of privileged accounts across endpoints
  • Attackers modifying Group Policy Objects (GPOs) for ransomware deployment

Hardening these environments will allow you to better defend your organization from ransomware. Full ransomware resiliency combines solid defenses with technical and process-oriented controls to enable recovery and reconstitution.

A full incident response investigation should take place alongside recovery efforts, with special care to reduce the likelihood of an attacker maintaining access. This is to reduce the continued risk of future attacks.

For details, read the full M-Trends 2021 report or access our Ransomware Defense Assessment.