Double Extortion Ransomware: What It Is, How It Works And How To Prevent It

Ransomware has long been a leading cybersecurity concern for businesses of all sizes. Traditionally, this works by encrypting files or entire systems, shutting down a firm’s operations unless it paid for the decryption key. But in the majority of today’s attacks, this is no longer the case.

The biggest cybersecurity risk now comes from ‘double extortion’ ransomware. This variant has been around for a while, but it has become a much bigger threat in the last few years as cybercriminals look for new ways to squeeze money out of their victims.

Double extortion ransomware has boomed in popularity among threat actors because it adds an extra layer or pressure on victims. Whereas well-prepared firms may be able to recover from a crypto or locker ransomware attack by reverting to backups, double and even triple – extortion attacks are much harder to deal with.

Therefore it’s vital for ransomware protection that firms understand exactly what this threat poses, how it works in practice and what to do to depend against it.

Double extortion ransomware works by exfiltrating data from the business and sending it back to cybercriminals, in addition to encrypting files. This stolen data can then be used as extra pressure when demanding a ransom, as in addition to being stuck with unusable systems if they do not pay up, businesses also face the threat of having their most sensitive and confidential assets exposed publicly or revealed to competitors.

Data exfiltration is now a factor in the vast majority of ransomware incidents. In the third quarter of 2025, for example, BlackFog research indicates that 96 percent of attacks involved this.

Double extortion ransomware has become the standard among cybercriminals because it works. Many businesses may feel they have no choice but to pay up – even if they would otherwise be able to recover encrypted data – because of the consequences they may otherwise face.

Adding data exfiltration is just one of a number of evolving multi-extortion tactics used by criminals. There is also triple extortion ransomware, which adds a DDoS element to the attack, and even quadruple extortion, where threat actors directly pressure executives, customers or other stakeholders. This was seen in the 2025 attack on the Kido Schools group of nurseries, where the attackers contacted parents directly with threatening phone calls.

A double extortion ransomware attack will follow a few key steps as ransomware groups gain access to a firm, seek out information and then extract it. A typical incident may progress as follows:

1. Initial access: Gained via phishing emails, compromised endpoints or exploiting unpatched software vulnerabilities.
2. Privilege escalation: Attackers elevate access using stolen credentials or tools like Mimikatz to move laterally.
3. Data exfiltration: Sensitive data is located and transferred out of the network via encrypted channels, typically after 11 to 24 days of undetected access.
4. Encryption: Ransomware is deployed to lock files and systems, often outside working hours to delay response.
5. Ransom demand: A demand is issued for payment in exchange for a decryption key, usually in cryptocurrency.
6. Threat of public release: To increase pressure, attackers threaten to leak or sell the stolen data if the ransom isn’t paid.

The impact of double extortion ransomware on businesses can be wide-ranging. As well as the blow to the reputation of a company if it becomes public knowledge that it has failed to protect customer data, this can leave it exposed to action from regulators. If local data protection authorities determine the breach was the result of carelessness or negligence, it can leave the company facing multi-million dollar fines.

Common expenses that businesses can expect to see as a result of double extortion ransomware include:

• Direct ransom payments
• Lost business due to downtime
• Loss of customers due to reputational damage
• External consultants for mitigation and investigation
• New technology to harden systems against future attacks
• Regulatory fines
• Class action lawsuit expenses
• Higher cyber insurance premiums

Individuals may also face severe consequences. For example, the exposure of healthcare records can be very harmful and embarrassing. This is one reason why organizations in this sector are particularly tempting targets for ransomware groups. Indeed, the payment of a $22 million ransom by Change Healthcare in 2024 is reported to have fueled a wave of attacks targeting these firms in the following months, while BlackFog’s data shows healthcare remains one of the most commonly-targeted sectors.

Elsewhere, exposure of individual login details and financial information can be hugely useful to fraudsters – especially if customers have reused passwords across multiple sites. As a result, ransomware victims may also find themselves needing to pay for credit monitoring services or direct compensation for any customers impacted in an attack.

Once data is in the hands of criminals, the damage is done. Therefore, the best defense against this type of attack is to focus on ransomware prevention. This means being able to spot, identify and contain attacks before they have a chance to find and exfiltrate data. To do this, it’s important to take a defense in depth approach that includes layers of protection.

Key elements that must be included in this are:

• Zero Trust architecture: Assume breach by default. This means verifying all users and devices continuously to stop attackers from moving laterally after initial access.
• Data exfiltration prevention technologies: Deploy tools like anti data exfiltration (ADX) to block unauthorized outbound transfers in real- time and stop attackers before they can steal sensitive files.
• Patch and vulnerability management: Regularly update all systems and applications to close known security gaps that ransomware groups exploit for access.
• Email security and MFA: Filter malicious attachments and links at the gateway and enforce multi-factor authentication to prevent credential theft and phishing-based breaches.
• Network segmentation: Divide the network into isolated zones to contain ransomware spread and limit the pathways to high-value data.
• Privileged Access Management: Restrict admin privileges and use just-in-time access to reduce the blast radius if credentials are compromised.
  Continuous monitoring for anomalous data movement: Use behavioral analytics to detect unusual file access or transfers and trigger rapid containment before exfiltration occurs.

If all these measures fail and firms do find themselves facing a data breach and a ransomware demand, there should still be a response and recovery plan in place. As is the case with any security incident, this must begin by ensuring all infected systems are isolated so that the damage is contained as much as possible, before turning to backup and recovery plans in order to retrieve any encrypted data.

An effective ransomware remediation plan should cover the following steps:

1. Contain infection: Immediately isolate infected endpoints and servers to stop ransomware from spreading or continuing data exfiltration.
2. Disable lateral movement: Revoke compromised credentials, shut down shared services, and enforce network segmentation to prevent attackers accessing additional systems.
3. Identify exfiltrated data: Analyze logs and outbound traffic to determine what data was stolen, which is critical in assessing double extortion risk.
4. Notify internal security and legal teams: Engage incident response, legal, and executive stakeholders early to coordinate technical, legal, and communications decisions.
5. Follow regulatory requirements: Report breaches as required under rules like GDPR within mandated timelines to avoid additional penalties and ensure compliance.
6. Restore from protected backups: Recover systems using clean, offline backups to avoid reinfection and reduce reliance on ransom payments.
   Conduct forensic analysis: Investigate root cause and attacker behavior to close gaps and prevent repeat attacks or future data exfiltration.

When it comes to double extortion ransomware, the most important question will be whether or not to pay. In cases where businesses are being threatened with the public exposure of confidential data, it can be highly tempting to give in so this can be prevented.

However, in practice, there are several reasons why this is often a bad idea. These include:

• There is no guarantee that criminals will keep their word and delete any data they possess.
• Firms may not be able to recover all encrypted information.
• It will likely make them a target for repeated attacks in the future.
• A payment could be illegal depending on laws relating to funding criminal activity.

Therefore, while it may be more painful in the short term to resist any demand, it is likely to be a far better approach in the long run.

Ultimately, once data is in the hands of criminals, there is only so much firms can do. That’s why the best defense against double – and increasingly multi-extortion – ransomware is preventing data from leaving the network in the first place. Tools such as continuous monitoring, access controls, encryption and ADX are all essential, alongside strong employee education on emerging threats.

Ransomware attacks are now a near inevitability. But with the right layered defenses, early detection capabilities and a clear response plan in place, firms can act fast, contain the threat and prevent attackers from accessing or leaking sensitive data.