Double Extortion Ransomware | What is it and How it Works?


Double extortion is a cybersecurity tactic employed by cybercriminals to maximize their leverage and financial gains through a two-pronged attack approach.

At its core, double extortion combines traditional ransomware attacks with data exfiltration. Initially, cybercriminals infiltrate a victim’s network, encrypting critical data, and then demanding a ransom for its decryption. However, the twist lies in their second move: prior to encrypting the data, they surreptitiously steal sensitive information. If the victim refuses to pay the decryption ransom, the attackers threaten to publicly release or sell the stolen data, exposing organizations to reputational damage, legal consequences, and regulatory fines.

This strategy has amplified the impact of ransomware attacks, making them even more financially crippling and strategically dangerous. It forces victims into a dilemma of whether or not to pay, increasing the likelihood of ransom payments, which, in turn, emboldens cybercriminals to continue future campaigns.

Double extortion underscores the evolving sophistication of cyber threats, highlighting the need for a holistic approach to cybersecurity that encompasses not only robust defenses against ransomware but also vigilant data protection and incident response strategies.

A Brief Overview of Double Extortion

Double extortion is a sophisticated cyber threat tactic that has reshaped the landscape of ransomware attacks in recent years. This malicious strategy involves cybercriminals not only encrypting a victim’s data but also stealing sensitive information prior to encryption, effectively holding it hostage. If the victim refuses to pay the ransom for decrypting their data, the attackers threaten to publicly release or sell the stolen information, amplifying the stakes and consequences of the attack.

Double extortion first emerged as a noticeable trend in the ransomware landscape around 2019, with the emergence of notable strains like Maze and REvil. These cybercriminal groups recognized the immense value of the data they were compromising and began demanding additional ransoms, typically in cryptocurrency, under the threat of exposing this data. This innovative approach significantly increased the financial pressure on victims and made it more likely that they would comply with the extortion demands.

Today, double extortion attacks have become alarmingly prevalent. Cybercriminals use it to target a wide range of organizations, from small businesses to large enterprises and even government institutions. The stolen data often includes sensitive customer information, proprietary intellectual property, and confidential internal documents, making the potential consequences of exposure even more severe.

To defend against double extortion attacks, organizations must adopt a comprehensive cybersecurity strategy that includes robust threat detection and prevention, regular data backups, employee training on recognizing phishing attempts, and a well-defined incident response plan (IRP).

Understanding How Double Extortion Works

Double extortion is a complex and insidious cyberattack technique that combines data theft with traditional ransomware tactics. From a technical standpoint, the process involves several distinct stages:

Initial Access and Reconnaissance

Attackers use various methods like phishing emails, exploiting software vulnerabilities, or credential theft to gain initial access to the victim’s network. Once inside, they conduct reconnaissance to identify high-value targets and locate sensitive data repositories.

Data Exfiltration Techniques

Attackers employ advanced techniques, such as SQL injection, remote file inclusion, or the abuse of legitimate tools, to exfiltrate sensitive data from the victim’s network. They may employ data compression, encryption, or obfuscation to evade detection.

Data Classification and Extraction

Using automated scripts or manual processes, attackers classify and extract sensitive information. This data can include personally identifiable information (PII), financial records, intellectual property, or confidential documents. Attackers may employ data parsing and indexing techniques to efficiently locate valuable data.

Data Staging and Stealth

The exfiltrated data is staged in hidden or less-monitored areas of the network to avoid detection. Attackers may use encryption or steganography to obscure the presence of the stolen data and maintain a low profile.

Data Encryption with Strong Algorithms

After exfiltration, attackers initiate the ransomware component. They employ robust encryption algorithms, such as AES-256, to encrypt critical files and systems within the victim’s network. This encryption is typically asymmetric, with a public key for encryption and a private key held by the attacker for decryption.

Ransom Note and Cryptocurrency Demand

Attackers deliver a ransom note, often in the form of a text file or image, to the victim’s systems. This note contains details about the ransom demand, payment instructions, and a deadline. Attackers commonly demand payment in cryptocurrencies like Bitcoin or Monero to maintain anonymity.

Double Extortion Notification

In a double extortion attack, alongside the traditional ransom note, attackers inform the victim that they have exfiltrated sensitive data. This notification emphasizes the consequences of non-compliance. Attackers may provide evidence of data theft, such as file listings or snippets, to validate their claims.

Threats of Data Exposure

Attackers threaten to publicly release the stolen data on the internet or underground forums if the ransom is not paid within the specified timeframe. This threat adds significant pressure on the victim to meet the ransom demands, as data exposure can lead to legal consequences, regulatory fines, and reputational damage.

Payment Verification and Communication

To facilitate payment tracking and decryption, attackers provide a unique Bitcoin wallet address for the victim to send the ransom. After receiving the payment, they verify it on the blockchain and communicate with the victim through encrypted channels.

Decryption Key Delivery

Upon successful payment verification, attackers deliver the decryption key to the victim. This key is required to decrypt the files and systems that were encrypted during the ransomware phase. Attackers may provide decryption tools or instructions on how to use the key.

Post-Attack Cleanup

After receiving the ransom, attackers may remove their presence from the victim’s network, deleting any tools, backdoors, or traces of the attack. However, there’s no guarantee that they will not return for further extortion or attacks.

Response and Mitigation

Organizations facing a double extortion attack must make critical decisions regarding whether to pay the ransom or seek alternatives. They must also report the incident to law enforcement and initiate incident response procedures, including system restoration and strengthening security measures to prevent future attacks.

Exploring the Use Cases of Double Extortion

Double extortion attacks have become a menacing threat in the cybersecurity landscape, prompting businesses to bolster their defenses to mitigate the risks associated with this insidious tactic. Here are some real-world use cases of double extortion, their significance, and the measures businesses are taking to secure against these risks:

The Maze Ransomware Attack

Maze ransomware operators were pioneers of the double extortion technique. They targeted businesses, encrypted their data, and then threatened to publish sensitive information online unless a ransom was paid.

  • Significance – This attack garnered significant attention and put double extortion on the map, highlighting the potential consequences of non-compliance.
  • Security Measures – Businesses have since increased their focus on cybersecurity, adopting comprehensive backup strategies, monitoring for data leaks, and enhancing incident response capabilities to counter Maze-like threats.

The REvil Ransomware Group

REvil is known for its aggressive double extortion tactics. In one instance, they attacked a prominent law firm, stealing sensitive client data and threatening to release it.

  • Significance – This attack demonstrated that even sectors not typically associated with high cybersecurity risks, like legal services, are vulnerable to double extortion. It emphasized the need for comprehensive cybersecurity measures across all industries.
  • Security Measures – Law firms and similar businesses are increasingly investing in cybersecurity awareness training for employees, adopting multi-factor authentication (MFA), and enhancing endpoint security to protect against REvil-style attacks.

The Ragnar Locker Ransomware Campaign

Ragnar Locker targeted large organizations, particularly in the healthcare sector. They encrypted files and stole patient data, demanding a hefty ransom.

  • Significance – The healthcare industry was already under pressure due to the COVID-19 pandemic, and these attacks further strained resources, raising concerns about patient privacy and the security of critical healthcare infrastructure.
  • Security Measures – Healthcare organizations have strengthened their cybersecurity posture by improving network segmentation, implementing robust access controls, and conducting regular cybersecurity assessments to thwart double extortion attempts.

The DarkTequila Attack

DarkTequila was a banking trojan that evolved to include ransomware and data theft components. Attackers targeted financial institutions and corporate networks, encrypting files and exfiltrating sensitive data.

  • Significance – This attack demonstrated the adaptability of cybercriminals who evolve their tactics over time. Financial institutions, in particular, had to address the growing threat of double extortion.
  • Security Measures – Financial institutions are implementing threat intelligence sharing platforms, enhancing employee training programs, and conducting tabletop exercises to prepare for potential double extortion attacks.

Cl0p Ransomware Group

The Cl0p group targeted various organizations, including universities. They encrypted files and threatened to leak sensitive academic research data online.

  • Significance – Attacks on educational institutions highlight the broad scope of double extortion targets. In this case, the potential loss of valuable research data was a significant concern.
  • Security Measures – Universities and research institutions are reinforcing their cybersecurity defenses with enhanced email filtering, data encryption, and incident response planning to safeguard their intellectual property from Cl0p-like attacks.

To secure against the risks of double extortion, businesses are taking several proactive steps:

  • Comprehensive Backup Strategies – Regular data backups that are isolated from the network are crucial. They ensure organizations can recover their data without paying a ransom.
  • Employee Training – Cybersecurity awareness training helps employees recognize phishing attempts and other social engineering tactics used in double extortion attacks.
  • Endpoint Security – Robust endpoint security solutions are essential for detecting and preventing malware infections.
  • Access Controls – Implementing the principle of least privilege (PoLP) ensures that users have the minimum level of access required for their roles.
  • Incident Response Plans – Having well-defined incident response plans in place enables businesses to respond effectively to double extortion attacks, minimizing their impact.
  • Threat Intelligence Sharing – Collaborating with industry peers and sharing threat intelligence can help businesses stay informed about emerging threats and attack techniques.


Double extortion attacks, where cybercriminals not only encrypt data but also threaten to leak sensitive information unless a ransom is paid, have increased the stakes within the current threat landscape. These attacks exploit organizations’ fears of data breaches and tarnished reputations, compelling many to pay ransoms even when they have backups in place.

Real-world use cases of double extortion underscore the critical importance of cybersecurity for businesses across industries. As attackers continually refine their tactics, organizations must remain vigilant, adapt their security measures, and adopt a proactive stance to protect their data, reputation, and bottom line.

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.