Backups reduced encryption leverage
As backup practices improved, encryption alone stopped guaranteeing payment. Crews adapted by attacking confidentiality instead of availability.
Research Note · Extortion Dynamics
Double Extortion
is now table stakes
Encryption is no longer the primary threat. Modern ransomware operations assume data theft first, disruption second, and public pressure always. Organizations that plan only for restoration are planning for the wrong fight.
Data theft
Public pressure
Executive decision risk
Recovery ends downtime. Extortion targets reputation, trust, and leverage.
Executive summary
Ransomware without extortion is obsolete
Double extortion—stealing data and threatening disclosure—is no longer an escalation tactic or a worst-case scenario. It is the default operating model. Organizations that focus only on backups, encryption prevention, or restore timelines miss where attackers derive most of their leverage.
Threat evolution
Why double extortion became the baseline
Data theft fundamentally changed ransomware economics.
Data exposure creates asymmetric pressure
Stolen data threatens customers, regulators, partners, and leadership— far beyond the IT department.
Disclosure timelines favor attackers
Threat actors control when and how data is released, escalating pressure while defenders race to assess impact.
Attacker behavior
How modern ransomware crews apply pressure
Extortion is a campaign, not a single demand.
Data theft comes first
Crews prioritize exfiltration early, often weeks before encryption, ensuring leverage regardless of restoration success.
Selective disclosure threats
Attackers threaten to leak only the most damaging data: executive communications, regulated records, or customer information.
Multi-party pressure
Customers, partners, and even employees may be contacted directly to amplify urgency and reputational risk.
Strategic gap
Why recovery alone doesn’t stop extortion
Restoring systems does not undo stolen data.
Data theft is irreversible
Once data leaves the environment, technical controls cannot recall it. Legal, regulatory, and reputational risks remain.
Disclosure decisions are executive decisions
Extortion pressure shifts response ownership from IT to legal, communications, and the board.
Attackers exploit uncertainty
Incomplete understanding of what was stolen increases fear, indecision, and negotiation pressure.
Leadership impact
Why extortion readiness is a governance issue
Double extortion collapses technical, legal, and reputational risk into a single crisis.
Incident response plans often stop too early
Many IR plans focus on containment and restoration, with little guidance on disclosure, negotiation, or public response.
Regulatory exposure compounds pressure
Stolen regulated data introduces mandatory notification timelines that attackers deliberately exploit.
Decision authority is unclear
Without predefined roles, organizations lose time deciding who is allowed to make high-stakes calls under pressure.
Program direction
Preparing for extortion as the default
Ransomware resilience must assume data theft, public pressure, and executive-level decision-making.
Priority
Detect data theft early
Monitoring identity abuse, unusual data access, and egress is critical before encryption ever begins.
Priority
Plan for disclosure decisions
Legal, communications, and executive teams must be integrated into incident planning—not called after the fact.
Priority
Reduce extortion leverage
Data minimization, access control, and segmentation limit what attackers can steal and threaten to expose.
Priority
Rehearse the uncomfortable scenarios
Tabletop exercises must include data-leak threats, regulatory timelines, and public scrutiny.