Double extortion ransomware is an increasingly severe form of cyberattack that has evolved beyond traditional ransomware techniques. Instead of only encrypting files and demanding payment for recovery, attackers also steal sensitive data from the victim’s environment. This creates a dual pressure mechanism, where organisations are threatened not only with data loss but also with public exposure or sale of stolen information if the ransom is not paid.
This combination of encryption and data exfiltration significantly raises the stakes for affected organisations. The impact extends beyond operational disruption, often resulting in reputational damage, regulatory consequences, and loss of customer trust. As a result, double extortion campaigns are now considered one of the most damaging threats facing modern businesses.
Defending against this type of attack requires layered security controls. Regular and isolated data backups are essential to reduce dependency on ransom demands. Network segmentation helps limit lateral movement within systems, while endpoint protection and advanced threat detection tools improve the ability to identify malicious activity early. Employee awareness also plays a role, particularly in recognising phishing emails that are commonly used as an initial entry point.
Incident response planning is equally important, ensuring organisations can react quickly to contain and mitigate an attack. Clear procedures help reduce downtime and limit the spread of infection once a breach is detected.
These attacks typically begin with unauthorised access through phishing campaigns, exploited vulnerabilities, or compromised credentials. Once inside a network, attackers move to locate valuable data before deploying encryption tools and issuing ransom demands. The combination of stealth, data theft, and disruption makes detection and response time critical.
As this threat continues to grow across industries such as healthcare, finance, and manufacturing, organisations are increasingly required to adopt proactive cybersecurity strategies. Strengthening prevention, detection, and response capabilities is key to reducing exposure and limiting the impact of a successful attack.
The Evolution of Double Extortion
It all started in late 2019 with the first published double extortion ransomware case involving ransomware as a Service (RaaS) gang known as Maze (now defunct) and an American security systems and services provider known as Allied Universal. Maze was infamous for being the first to add doxxing to their ransomware attacks. When Allied Universal refused to pay the 300 bitcoin ransom demanded, the ransomware gang increased the ransom request by 50% and threatened to use their stolen identity in a spam operation. Additionally, the attackers published about 10% of the data they exfiltrated and gave Allied Universal two weeks’ request to pay up or have the remaining 90% of their stolen data exposed online.
The Maze ransomware gang was reported to have exposed private information for many businesses and organizations that refused to comply with their demands. This helped to make double extortion a prevalent technique in the ransomware threat landscape. Such activity continued to grow over the rest of the year. Other strains soon followed, with the REvil/Sodinokibi attack—which crippled the UK foreign exchange company—Travelex. There are a lot of ransomware gangs that are very active and prosperous in the double extortion business. Some of the popular ones include Netwalker, DoppelPaymer, Conti, Egregor, Nemty, and DarkSide. According to recent statistics, 77% of ransomware attacks involve the threat to leak exfiltrated data, and in 2022, double extortion ransomware is expected to grow even more. To make things worse, ransomware operators are now adding multi-level extortion techniques such as incorporating distributed denial-of-service (DDoS) attacks and other attacks directed at the victim’s customers, suppliers, or partners.
Why Is Double Extortion Happening?
Double extortion has gained prominence following the increased adoption of cloud data backups. After the devastating WannaCry and NotPetya ransomware attacks of 2017, most organizations tried to improve their data backup and recovery processes to achieve some level of resilience to ransomware attacks so that even if they lose access to their files, they could quickly restore from clean backups, and go about their businesses without the fear of being held, hostage. The effect of Covid-19 further accelerated the adoption of cloud services, including backup and recovery services. These improved security practices are giving organizations the boldness to say “No” to ransom payment in exchange for a decryption key.
Realizing the increased ransom avoidance, cybercriminals, in turn, have also adapted their techniques in what seems like an arms race. Now, rather than just encrypting files, double extortion ransomware exfiltrated the files before encrypting them. Imagine malware that combines ransomware with doxware. This means that even if an organization refuses to pay up, their data can be leaked online or sold to the highest bidder. This suddenly renders all their data backup and data recovery plans somewhat valueless. By using double extortion, and the threat of data breach in addition to the potential for data loss, ransomware attackers can compel organizations to pay a ransom even if they can recover their data from clean backups.
Who Is Vulnerable to Double Extortion Ransomware?
Any organization that directly holds vast amounts of data or holds client, supplier, or partner information is vulnerable to double and multi-level extortion attacks. The most apparent targets include healthcare, financial, and other organizations that hold valuable personal information.
A typical example is the ransomware attack that targeted Taiwan-based hardware supplier Quanta. According to reports, the ransomware gang REvil claimed that it had accessed the internal computers of Quanta and managed to obtain several images and schematics of unreleased Apple products and demanded Quanta pay $50 million for recovery of the files. When they refused to pay, the criminals decided to go after Apple for the money instead. Another example is the case that involved the Finnish physiotherapy provider Vastaamo. According to reports, about 10-gigabyte data containing private notes of patients and their therapists was leaked on a website on the dark web. Rather than just demanding a ransom from Vastaamo itself, the ransomware gang also made ransom demands directly to the thousands of Vastaamo patients whose records they were able to exfiltrate.
How Can You Mitigate Double Extortion Ransomware?
As is the case with most ransomware attacks, there is no guarantee that attackers will keep to their words if you agree to pay the ransom to avoid a data leak. So what should you do in situations like this? How can you mitigate double extortion attacks?
First and foremost, it’s important to note that detection and response efforts, as much as necessary, will not be sufficient to deal with double extortion attacks, especially as many attackers wait until they exfiltrate and encrypt your data. By the time your detection tools alert you on ongoing malicious activities and attacks, they’re already in the middle of it.
The threat of a double extortion ransomware attack is capable of destroying the brand reputation and customer confidence. Concerted Efforts must be made to prevent it from happening in the first place. Therefore, the best option is to focus on preventive measures. Conduct simulation attacks and penetration tests, and ensure that any existing security holes are patched as soon as possible so that attackers won’t be able to exploit those vulnerabilities. Provide regular security awareness training to your workforce, and ensure that security best practices such as the principles of least privilege and multi-factor authentication have been implemented across all users. If attackers breach an account, it will be difficult for them to move laterally around the network.
