Hackers behind JBS ransomware have new extortion tactic

Triple extortion cyberattacks threaten leaks and expand problem to business's partners or customers

The criminal gangs that carried out ransomware attacks on JBS, Colonial Pipeline and others have a new tactic.

REvil, aka Sodinokibi, was tagged by the FBI on Wednesday as the group behind the ransomware that forced meat producer JBS USA to temporarily shut down its operations.

In April, REvil (short for Ransomware Evil), demonstrated the use of a tactic called triple extortion, according to a research note from Check Point Research.


At that time, the gang launched an attack on Quanta Computer, a Taiwan-based laptop manufacturer which builds systems for U.S. companies such as Apple, Dell and Hewlett-Packard. The group went on to attempt to extort Apple directly, claiming to have confidential blueprints of future Apple products – adding yet another layer of ransom demands.

Darkside, the gang behind the Colonial Pipeline cyberattack, has also adopted the new ransomware tactic.

Triple Extortion

Conventional ransomware involves breaching a computer network, then encrypting valuable data so it is no longer accessible by a victim organization. The attackers then demand a ransom in return for a decryption key.

Double extortion goes further by tacking on threats to leak the data. This is meant to increase the pressure on victims to pay the ransom. In some cases, the data leak is a separate ransom, so the victim is being extorted for two payments.

Triple extortion expands the reach to customers, partners and other third parties related to the initial breach in an effort to extort even more money. 

Also, the addition of a Distributed Denial of Service (DDoS) attack to the mix – overwhelming the victim organization with a flood of internet traffic in order to bring down its network – can also be a form of triple extortion.


The criminal gangs that carried out ransomware attacks on JBS, Colonial Pipeline and others have a new tactic.

"This further ratchets up the pressure on the victim…[and] also adds another stressor to a security team already dealing with the first two events," according to Netscout, which offers solutions to block DDoS attacks.

The first notable case of triple extortion was the Vastaamo clinic attack in October 2020, according to Check Point. 

While the Finnish psychotherapy clinic, with over 40,000 patients, suffered extensive patient data theft and a ransomware attack, smaller sums were also demanded from the patients, who individually received ransom demands. The attackers also threatened to publish their therapist session notes. 


The "triple" aspect was targeting the patients, according to Check Point, which added that this was "the first attack of its kind within the ransomware attacks landscape."

"We are clearly in the middle of a ransomware pandemic," Mark Ostrowski, Head of Engineering, at Check Point Software, told Fox Business in a statement. "The technique of triple extortion, where hackers threaten not only their targets, but their target’s customers and partners, is a good example of this," he said.