**4.2 Extortion**

The advent of extortion as a tactic has emerged as one of the major reasons for high-profile ransomware attacks in the last few years. Three are four types of extortion prevalent that are highlighted in **Figure 7**.

Single extortion refers to the deployment of ransomware post-exploitation. The attacker demands a ransom in exchange for decrypting the files.

Double extortion refers to attackers exfiltrating data before the deployment of ransomware. The attacker then threatens the victim to leak the data publicly. The Maze ransomware group pioneered this when they added double extortion as a tactic to their playbook. More threat actors followed suit had started to have dedicated leak sites (DLS) to release the stolen data.

In 2020, threat actors took extortion to another level and added DDoS attacks to encryption and data exposure threats. This is known as triple extortion. This was first performed by SunCrypt and RagnarLocker operators in the latter half of 2020 [12].

In 2021, a fourth level known as Quadruple extortion was introduced. With quadruple extortion, ransomware operators also reach out directly to a victim's customers and stakeholders, thereby adding more pressure to the victim. DarkSide operators employ the quadruple extortion scheme in some of their attacks by launching DDoS attacks and directly contacting customers through designated call centers [12].

**Figure 7.** *Types of ransomware extortion.*
