Three Key Ransomware Trends in 2022: RaaS, Multiple Extortion, and IABs

Suleyman OZARSLAN, PhD
Picus Security
Published in
4 min readJan 24, 2022


3 ransomware trends you need to know in 2022: Ransomware as a Service (RaaS), Quintuple Extortion, and Initial Access Brokers (IABs)

Originally published at

Ransomware has become a powerful tool with a profitable revenue model for cyber threat actors in recent years. It is a widespread and well-known threat to organizations today. Ransomware attacks’ impact on organizations can be substantial, causing significant disruption to daily operations and even resulting in damaging consequences for their employees and clients. In this blog, the recent ransomware trends are explained.

Trend #1: Ransomware as a Service (RaaS)

Although ransomware was initially targeted home users, threat actors’ social engineering techniques have expanded to breach enterprise networks. As a result, ransomware has evolved into a service available for rent or sale on Dark Web forums. This development laid the foundation for Ransomware as a Service approach. Ransomware as a Service (RaaS) is a business model utilized by ransomware threat actors that enables anyone with even elementary technical skills to start ransomware attacks simply by subscribing to a service.

Ransom message of the DarkSide ransomware

Trend #2: Multiple Extortion

Threat actors have increasingly enhanced their methods for extorting additional money from their victims. The current extortion methods used by ransomware threat actors are discussed below.

1. File Encryption — Single Extortion

Demanding ransom for access to encrypted data and infected systems

Initially, ransomware restricted you from accessing your data or infected systems by encrypting files on compromised machines and demanding payment for the decryption key. In this single extortion approach, victims pay a ransom fee to regain access to encrypted data and compromised systems that cannot operate due to encrypted files.

2. Data Exfiltration — Double extortion

Threatening for data leakage or disclosure

As ransomware attacks gained popularity, enterprises improved their data backup practices to combat file encryption attacks. Data backups eliminated the need for ransom payments and enabled enterprises to restore data from backups. As a response, ransomware groups exfiltrate data from victims before encryption and then threaten to leak or publish the exfiltrated data. Threatening victims with encryption and data exfiltration is a form of double extortion.

3. Distributed Denial of Service Attack — Triple Extortion

Threatening to disrupt operations

Some organizations might restore from backups and accept the risk of data exfiltration. Ransomware threat actors started threatening organizations with distributed denial of service attacks as a countermeasure. These attacks can potentially overload a server or a network with traffic, causing operations to halt and become further disrupted. This triple extortion technique includes denial of service attacks, data encryption, and data exfiltration.

4. Contacting clients and stakeholders of the victim — Quadruple extortion

Threatening to contact with clients

Ransomware operators now actively contact the victim organization’s consumers and stakeholders, forcing the victim under tremendous pressure. Leveraging this extortion method with the previous ones is called quadruple extortion. DarkSide operators, for example, employ the quadruple extortion method in a variety of their attack campaigns, which include DDoS attacks and direct contact with clients via designated call centers.

5. Contacting the victim’s competitors — Quintuple extortion

Threatening to sell confidential information to competitors

In quintuple extortion, ransomware threat actors increase the victim’s stress by threatening to sell stolen data to competitors or investors interested in the victim organization’s trade secrets.

Note that different ransomware families employ various levels of extortion; some use only first-phase methods, while others utilize all extortion methods. Furthermore, these stages are not always consecutive.

Trend 3 — Initial Access Brokers (IABs)

Initial Access Brokers are financially motivated threat actors who profit through the illegal sale of remote access to enterprise networks. Initial Access Brokers (IABs) scan networks for known vulnerabilities on remote systems. Additionally, IABs sell the information and tools necessary to conduct network breaches using SQL injections, remote code execution (RCE) exploits, and other exploited vulnerabilities.

By requiring payment only for confirmed access to a given target, Initial Access Brokers have accelerated and simplified the initial access phase of the attack chain for adversaries.

The open-access cybersecurity academy — Purple Academy by Picus has added a new learning path dedicated to ransomware to its catalog. Take a look at our 1-hour open-access (free) online course “Ransomware Attacks: Fundamentals, TTPs, and Countermeasures” to learn more about ransomware attacks.



Suleyman OZARSLAN, PhD
Picus Security

Co-founder @ PICUS | VP of Picus Labs | Purple Academy | Hacker | Researcher | Former Cyber Security Trainer @ NATO SPS #infosec #cybersecurity #enterpreneur