Double Extortion Ransomware

Definition

Double extortion ransomware combines traditional file encryption with data exfiltration, threatening victims with both permanent data loss and public disclosure of stolen sensitive information. This tactic eliminates the backup-based recovery strategy that previously allowed organizations to refuse ransom demands, creating pressure to pay even when encrypted systems can be restored.

How It Works

Before deploying encryption payloads, attackers spend days to weeks moving laterally through compromised networks, identifying and exfiltrating the most sensitive data -- financial records, customer databases, intellectual property, legal documents, and employee information. They stage this data on attacker-controlled infrastructure. After exfiltration is complete, the encryption phase executes across all accessible systems simultaneously. Victims receive ransom demands accompanied by proof of data theft, often including sample files or directory listings. If the victim refuses to pay or attempts to negotiate below the demanded amount, attackers publish samples on dedicated leak sites and threaten full data release. Some groups auction stolen data to other criminal organizations, adding competitive pressure to the extortion.

Why It Matters

Double extortion defeats the primary ransomware defense strategy of maintaining offline backups. Organizations can restore systems but cannot un-steal their data. The data breach component triggers regulatory notification requirements, class action liability, reputational damage, and competitive harm that may exceed the ransom demand. This pressure dynamic has increased both the frequency of payments and the average ransom amount. Organizations must now defend against both encryption and exfiltration simultaneously, requiring comprehensive data loss prevention capabilities.