Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is Double extortion?
Double extortion is a ransomware tactic where attackers steal sensitive data before encrypting systems, then demand payment to prevent both operational disruption and public data exposure. CISA defines this combined use of encryption and data-theft pressure as double extortion.
How it works
Attackers usually follow this sequence:
| Stage | What attackers do | Business impact |
|---|---|---|
| Initial access | Use phishing, stolen credentials, exposed RDP, or vulnerable apps | Unauthorized entry |
| Data theft | Copy files, databases, emails, or customer records | Breach risk |
| Encryption | Lock systems or files | Downtime |
| Pressure | Threaten leak sites, customers, regulators, or media | Legal and reputational damage |
Why it matters
Backups alone cannot neutralize this threat. Restoring systems may reduce downtime, but stolen data can still trigger breach notification duties, regulatory scrutiny, customer churn, and contract risk.
Security teams should treat ransomware as a data-breach scenario, not only an availability incident. The UK NCSC also advises organizations to assume data may have been stolen when ransomware occurs.
Double extortion vs traditional ransomware
| Traditional ransomware | Double extortion |
|---|---|
| Encrypts files and demands payment for decryption | Steals data, encrypts systems, and demands payment |
| Backups can reduce leverage | Backups do not remove leak pressure |
| Primary risk: downtime | Primary risks: downtime, breach exposure, legal impact |
| Focuses on recovery | Requires recovery, containment, investigation, and disclosure planning |
Common targets of double extortion attacks
Attackers often target organizations that store sensitive data or rely heavily on uninterrupted operations. Common targets include:
- Healthcare organizations that manage patient records and critical care systems
- Financial institutions handling banking data, transactions, and customer information
- Manufacturing companies where downtime can disrupt production and supply chains
- Government agencies that store confidential citizen and operational data
- Enterprises with remote or hybrid workforces using multiple unmanaged or distributed endpoints
Threat actors also look for:
- Weak passwords or poor access controls
- Unpatched internet-facing systems
- Limited endpoint visibility and monitoring
- Employees vulnerable to phishing attacks
Strong endpoint management, network segmentation, and continuous monitoring can help reduce both ransomware spread and data theft risks.
FAQs
No. Data extortion may involve theft and leak threats without encryption. Double extortion combines data theft with encryption.
No. Payment does not reliably prove that attackers deleted copied data or avoided resale.
Use MFA, patch exposed systems, restrict admin privileges, monitor abnormal data movement, segment networks, maintain offline backups, and rehearse incident response.
Hexnode UEM helps organizations strengthen endpoint control by enforcing security policies, managing devices, supporting compliance workflows, and reducing unmanaged endpoint risk across distributed work environments. For B2B teams, that centralized visibility matters because attackers often exploit weak endpoint hygiene before escalating into ransomware activity.