Skip to content.

Emerging Developments in Ransomware

This article is part of our Cybersecurity Blog Series, which is intended to provide readers with a 360° view on cybersecurity. To view other blog posts in the series, please visit Cybersecurity Blog Series from McCarthy Tétrault’s Cyber/Data Group

Instances of ransomware have exploded in the past five years. In 2020 alone, it is estimated that the total cost to Canadian organizations in paid ransoms and lost productivity was US$4 billion.[1] In our recent post Ransomware: Avoidance and Response, we discussed steps organizations can take to be prepared for a ransomware attack. In addition, cybercriminals are continually evolving their methods looking to maximize their payout. In this companion piece, we look at some recent developments in ransomware that organizations will want to be aware of to help them manage risk associated with ransomware attacks.

Multiple Layers of Extortion

Cybercriminals are increasingly applying multiple layers of extortion to their attacks, meaning they can seek to extort a ransom payment more than once in relation to the same attack. Here are a few examples:

  • Double-Encryption—In “double-encryption” attacks, cybercriminals double-encrypt data. Once an organization pays a ransom and receives an encryption key, it finds that their data remains locked behind a second layer of encryption that allows the criminal to demand an additional ransom.
  • Double-Dipping—In “double-dipping” attacks, an organization is not only blocked from accessing their data, but all of some of its data is also stolen or “exfiltrated” by the cybercriminal. Like double-encryption, double-dipping allows cybercriminals to make two ransom payment demands: one to unencrypt the data and another in exchange for a promise not to use or sell the stolen data. Research indicates that nearly half of all ransomware cases in the third quarter of 2020 included the threat of releasing stolen data.[2]
  • Triple-Extortion—There have also been reports of threat actors employing a triple-extortion strategy. With triple-extortion, the threat actor executes a double-dipping attack but additionally sends ransom demands to any third parties who could be harmed by the disclosure or use of the stolen data (e.g. customers or affiliates of the attacked organization). Triple extortion attacks have the potential to cause even greater business, reputational and financial harm to a company.

Targeting the C-Suite

Some cybercriminals individually target executives in ransomware attacks, hoping that by targeting high level employees they will gain access to commercially or personally sensitive information and can command high ransom payments. Continual advancements in artificial intelligence may make it easier for cybercriminals to identify individual targets and compile personal information that they can then exploit to carry out the attack.[3] 

Not Just “Data” Companies

It is often perceived that cyberattacks target only companies seen as being in the “business of data”. However, all companies have data in their systems and rely on computer networks to operate their businesses. Threat actors have begun to target these “non-data” businesses too. The recent attack on JBS, the biggest meat packing company in the world, is one of many examples of a cyberattack against a non-data company. Industries as varied as construction, utilities, retail, real estate, hospitality, and healthcare are also targets of ransomware attacks.[4]

An Uncertain Future?

In June 2021, the United States Department of Justice seized a portion of the ransom payment made to the cybercriminals responsible for the Colonial Pipeline ransomware attack. [5] The United States has also signalled its intention to treat ransomware attacks as a top national security priority.[6] It is possible that governments will begin to take steps that will limit or prohibit a company’s ability to pay ransoms following a cyberattack in order to deal with a security breach.

These recent trends reinforce the importance of investing in cybersecurity protections to help avoid attacks, and in data recovery plans that provide for the various iterations an attack could take to mitigate their severity if they do occur. The option of paying a ransom to help deal with a breach may become less feasible or available over time.

Subscribe to our TechLex blog to receive the latest posts in the series.

Cybersecurity Blog Series and Related Insights:


To learn more about developing a cybersecurity strategy and an incident response plan, download a copy of our Cybersecurity Risk Management: A Practical Guide for Businesses or visit the Cyber/Data homepage.

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.


[1] Emisoft, “Report: The Cost of Ransomware in 2021. A Country-by-Country Analysis” (27 April 2021), EMISOFT blog, online 
[2] Check Point Software Technologies Ltd. “Cyber Security Report 2021” (2021), Check Point Research.
[3] CyberCube, “Understanding Ransomware Trends: Ransomware Attack Methods Alter as Threat Actors Grow in Sophistication” (2020), p 7.
[4] Fabiana Bastista, Michael Hirtzer and Mike Dorning, “All of JBS’s U.S. Beef Plants Were Forced Shut by Cyberattack” (31 May 2021), Bloomberg, online:
[5] The United States Department of Justice “Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside” (7 June 2021), 
[6] Christopher Bing, “Exclusive: U.S. to Give Ransomware Hacks Similar Priority as Terrorism” (3 June 2021), Reuters, online



Stay Connected

Get the latest posts from this blog

Please enter a valid email address