Everything you need to know about double extortion ransomware?
Cyberattacks and the methods used by cybercriminals are constantly evolving. As a result, attacks are becoming more advanced and at the same time more costly for those affected. The loss of access to critical data can severely impact businesses, making one of the most concerning developments double extortion ransomware, a method that combines traditional ransomware with additional pressure tactics to force victims to pay.
Ransomware is already considered one of the most serious cyber threats to businesses, and the impact of a double extortion ransomware attack can be devastating. In this article, we take a closer look at what this attack method involves and how you can protect your organisation.
What is ransomware?
Ransomware is a type of malicious software that infects a computer, server, or entire network. It typically comes in two forms: locker ransomware and crypto-ransomware. Locker ransomware blocks access to systems without encrypting files, while crypto-ransomware encrypts files, making them inaccessible.
When ransomware is installed on a device, it encrypts or locks the data and blocks the user’s access. Victims are then met with a demand for payment, often in cryptocurrency, in exchange for regaining access to their data. Attackers provide a decryption key after payment verification to decrypt the encrypted files. Ransomware can be thought of as a digital hostage situation, where files or systems are held captive.
Most ransomware attacks begin with phishing emails. A user clicks on a malicious link or attachment, and the malware is installed silently in the background.
What makes double extortion ransomware different?
A double extortion ransomware attack builds on the classic ransomware technique. The criminals not only encrypt data and demand a ransom but also steal the data beforehand. If the ransom is not paid, they threaten to leak the stolen data, sell it on the dark web, or permanently delete it. Data leaks can occur even after victims restore their networks, leading to severe consequences.
This extra layer of pressure is designed to force victims to comply, especially if they have backups that could otherwise help them recover without paying. By threatening to expose confidential or sensitive information, the attackers exploit the fear of reputational and legal damage. Ransomware attackers use these tactics to increase pressure on victims.
A notable example is the attack on 7-Eleven in Denmark in August 2022. The attack shut down all 175 stores nationwide, but the company managed to resume operations within a few days without paying a ransom. This case highlights why attackers are now using double extortion – they know that simple encryption of files is no longer enough to guarantee a payout.
How double extortion ransomware works
Double extortion ransomware attacks involve a sophisticated process where threat actors gain initial access to a victim’s system, often through phishing attacks or exploiting software vulnerabilities. Once inside, they use various techniques to move laterally within the network, identifying and exfiltrating sensitive data. This stolen data is then used as leverage to demand a ransom, with the threat of releasing it on the dark web if the ransom demand is not met. The attackers also employ data encryption, using malicious software to lock critical files and systems, further increasing the pressure on the victim to pay the ransom. Understanding how double extortion ransomware works is crucial for developing effective security measures and cybersecurity awareness training to prevent such attacks.
Data exfiltration techniques
Data exfiltration is a critical component of double extortion ransomware attacks, where attackers use various methods to steal valuable data from the victim’s network. This can include techniques such as SQL injection, remote file inclusion, or the abuse of legitimate tools. Attackers may also use data compression, encryption, or obfuscation to evade detection during the exfiltration process. Furthermore, they might employ automated scripts or manual processes to efficiently extract sensitive information. The exfiltrated data can then be used to extort the victim, with the threat of its release on the dark web serving as a powerful motivator for ransom payment. Implementing robust security measures, such as network segmentation and access management, can help prevent data exfiltration and mitigate the risk of double extortion ransomware attacks.
Common tactics in double extortion attacks
There are several ways cybercriminals apply pressure during a double extortion ransomware attack. Here are some of the most common:
-
Data leakage or exposure: The attacker threatens to leak or publish sensitive data. This data is exfiltrated before it is encrypted, allowing the criminal to sell or release it even if the victim manages to restore access to their systems. Ransom demands are used to exert pressure on victims by threatening to expose this stolen data online if the demands are not met within a given timeframe.
-
DDoS attacks: If the threat of leaking data doesn’t succeed, the criminals may launch a Distributed Denial of Service (DDoS) attack. This overwhelms the organisation’s servers and disrupts business operations, adding another layer of urgency. Ransomware gangs often employ these tactics to ensure their demands are met. Dive deeper into how DDoS attacks work and how to defend against them.
-
Contacting customers or partners: Attackers may threaten to inform customers, business partners, or other stakeholders about the breach. This can be damaging to the company’s reputation and increase the pressure to pay.
-
Selling data to competitors: Some groups go as far as threatening to sell stolen trade secrets or business data to competitors, creating a strategic risk that organisations can’t afford to ignore.
These techniques are often used together to make the victim feel cornered. The more pressure the malicious actors apply, the higher the chance of a payout.
Examples of ransomware campaigns
Several notable ransomware groups have been involved in double extortion attacks, including the REvil ransomware gang and the Maze ransomware group. These groups have targeted various industries, including healthcare and finance, resulting in significant financial losses and reputational damage for the victims. For instance, the REvil ransomware attack on JBS Foods and the Maze ransomware attack on Travelex are examples of how double extortion ransomware can have devastating consequences. These attacks highlight the importance of robust cybersecurity measures, including regular backups, patching vulnerabilities, and implementing a zero-trust architecture to prevent initial access and lateral movement within the network.
Potential risks
The potential risks associated with double extortion ransomware attacks are substantial, including data exposure, financial loss, and reputational damage. If a victim refuses to pay the ransom, the attackers may release the stolen data on the dark web, leading to a data breach that can have long-lasting consequences. Moreover, the encryption of critical files and systems can lead to significant downtime and disruption of operations, further exacerbating the financial impact of the attack. Implementing security measures such as multi-factor authentication, regular security audits, and cybersecurity awareness training can help mitigate these risks. Additionally, having an incident response plan in place can help organizations respond quickly and effectively in the event of a double extortion ransomware attack. Learn more about how data breaches happen and how to protect your organization and discover why MFA is a crucial defense layer against evolving cyber threats.
How to prevent double extortion ransomware
The number of double extortion ransomware attacks is increasing, and the methods are becoming more aggressive. According to the European Union Agency for Cybersecurity (ENISA), extortion-based ransomware continues to evolve rapidly by exploiting vulnerabilities in the software supply chain to increase their impact and profitability.
Fortunately, there are effective steps organisations can take to protect themselves:
-
Use reliable security software: Install antivirus and antimalware tools, and make sure email systems have strong filters in place to stop phishing emails. Run regular security scans to detect threats early.
-
Keep systems updated: Update all systems and software regularly to close known vulnerabilities and prevent attackers from gaining access.
-
Back up your data securely: Make regular backups and store them offline or on external devices. This gives you a way to restore data if systems are compromised. Data backups are crucial in defending against ransomware attacks, particularly in the context of double extortion tactics.
-
Create and test a response plan: Have a detailed contingency plan in place that outlines how to respond to a ransomware attack. Make sure your team knows their roles and how to act quickly and efficiently if an attack occurs. Robust ransomware defense strategies are essential to protect against different types of ransomware attacks, especially those that can bypass conventional backup measures.
-
Raise employee awareness: Train staff to recognise phishing attempts. Simulated phishing emails can be an effective way to improve awareness.
Simple habits such as checking the sender’s email address and hovering over links before clicking can go a long way in preventing attacks.
Response and mitigation
Responding to and mitigating double extortion ransomware attacks requires a comprehensive approach that includes both technical and procedural measures. Technically, this involves implementing robust security software, keeping operating systems and applications up to date, and using threat intelligence to stay ahead of emerging cyber threats. Procedurally, it involves training employees to recognize and report phishing attacks, implementing a zero-trust architecture to limit lateral movement, and having a well-rehearsed incident response plan. In the event of an attack, swift action is necessary, including isolating affected systems, notifying relevant authorities, and considering the payment of the ransom as a last resort. Sharing threat intelligence and collaborating with other organizations can also help in preventing and responding to double extortion ransomware attacks, ultimately reducing the risk of data theft and ransomware infections.
This post has been updated on 13-05-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup