Double Extortion Ransomware: How Data Theft Changed the Game

For years, the ransomware playbook was simple: encrypt the victim's files, demand payment for the decryption key. Organizations responded by investing in backups. If you could restore from backup, you didn't need to pay. The economics should have tilted against the attackers.

Then, in late 2019, the Maze ransomware group changed everything by adding a second layer: before encrypting files, they stole them. Pay the ransom or your data gets published online. Suddenly, backups weren't enough. Even organizations with perfect backup strategies faced the prospect of sensitive data — customer records, financial documents, intellectual property, employee information — being dumped on the internet for anyone to download.

By 2023, double extortion was the default, and the model had evolved further into triple and even quadruple extortion schemes that piled on additional pressure. The shift from encryption to data theft fundamentally altered the ransomware threat model in ways that many organizations still haven't fully adapted to.

The Evolution Timeline

Encryption Only (Pre-2019)

Early ransomware was purely about denying access. CryptoLocker, WannaCry, NotPetya — these attacks encrypted files and demanded payment for decryption keys. The defense was straightforward in principle: maintain good backups and you could recover without paying.

This model had limitations for attackers:

• Organizations with good backups refused to pay
• Decryption tools sometimes became available through law enforcement or researcher efforts
• The encryption itself could be defeated if the implementation was flawed
• Victims had a clear recovery path that didn't involve the attacker

Double Extortion Emerges (2019-2020)

Maze pioneered the double extortion model in November 2019 by publishing stolen data from Allied Universal, a security services company, after the company refused to pay. The message was clear: your backups don't protect your data from being published.

Other groups quickly adopted the model:

• REvil/Sodinokibi: Launched a dedicated auction site for stolen data
• DoppelPaymer: Maintained an active leak site
• Netwalker: Published data from hospitals, universities, and government agencies
• Conti: Built one of the most prolific leak operations

By mid-2020, the majority of active ransomware groups had added data theft and extortion to their operations.

Triple Extortion (2020-2021)

Groups added a third pressure vector:

• DDoS attacks: Threatening or executing denial-of-service attacks against the victim's public-facing infrastructure, adding operational disruption beyond the encrypted systems
• Customer/patient notification: Directly contacting the victim's customers, patients, or partners to inform them of the data theft, creating public pressure and potential legal liability
• Regulatory leverage: Threatening to report the breach to regulatory authorities (GDPR, HIPAA, SEC) to trigger investigations and fines

Quadruple Extortion (2021-Present)

Some groups pushed the model further:

• Contacting short sellers or competitors with insider information about the breach
• Threatening to notify cyber insurance providers to impact coverage
• Targeting the victim's supply chain partners with the stolen data
• Filing fake regulatory complaints to increase pressure

Why Double Extortion Changed Everything

Backups Are Necessary but Insufficient

Before double extortion, the security community could credibly advise: "Invest in backups and you won't need to pay ransomware." That advice is now incomplete. Backups solve the availability problem (getting your systems running again) but don't address the confidentiality problem (your data is in the attacker's hands).

This shifted the defensive calculation significantly. Organizations now need to prevent the intrusion entirely, or at minimum prevent data exfiltration — much harder problems than maintaining backup integrity.

Every Ransomware Attack Is a Data Breach

Double extortion means that every ransomware incident must be treated as a reportable data breach. This triggers:

• Regulatory notification requirements (GDPR, state breach notification laws, HIPAA)
• Legal liability for compromised personal data
• Credit monitoring obligations for affected individuals
• SEC reporting requirements for public companies (as of December 2023)
• Cyber insurance claim processes and potential coverage disputes

The regulatory and legal costs of a ransomware attack now often exceed the operational recovery costs, particularly for organizations in regulated industries.

Payment Doesn't Guarantee Deletion

A fundamental problem with the double extortion model: even if the victim pays, there's no guarantee the attacker actually deletes the stolen data. The LockBit takedown in February 2024 revealed that the group had retained data from victims who had paid — directly contradicting their promise to delete data upon payment.

This undermines the entire transaction model. If paying doesn't guarantee data deletion, the rational case for paying becomes weaker. Yet organizations continue to pay because the alternative — guaranteed publication — is worse than the possibility that payment might work.

Supply Chain Data Exposure

Double extortion creates supply chain data exposure risks:

• A vendor who suffers a ransomware attack may leak their clients' confidential data
• A service provider's breach can expose data from all of their customers
• Business partnerships documented in stolen data can reveal competitive intelligence
• Shared infrastructure details in stolen documents can reveal vulnerabilities in connected organizations

The MOVEit campaign demonstrated this at scale — organizations whose data was stolen from third-party service providers had no direct relationship with the vulnerable software and no ability to prevent the exposure.

The Data Exfiltration Problem

Double extortion elevated data exfiltration prevention from a nice-to-have to a critical capability. This is harder than it sounds:

Detection Challenges

Distinguishing malicious data exfiltration from legitimate data transfers is technically difficult:

• Attackers use legitimate cloud storage services (Mega, Dropbox, Google Drive) for exfiltration
• Tools like rclone and WinSCP are present in many legitimate IT environments
• Data volumes that would trigger alerts vary enormously by organization
• Encrypted connections make content inspection challenging
• Staged exfiltration over days or weeks can stay below volume thresholds

Time Pressure

Ransomware operators typically complete data exfiltration before deploying the ransomware payload. The exfiltration phase can last from hours to weeks, but once the ransomware is deployed, the stolen data is already gone. Any detection and response during the exfiltration window must be fast enough to interrupt the process before the attacker has what they need.

What Data Was Taken?

After a double extortion attack, one of the most challenging questions is determining exactly what data was stolen. Attackers rarely provide complete file manifests, and forensic analysis of exfiltration activity may not capture the full scope. This uncertainty complicates:

• Breach notification decisions (which individuals need to be notified?)
• Regulatory compliance (what categories of data were exposed?)
• Legal risk assessment (what's the potential liability?)
• Customer communication (what should you tell affected parties?)

Defensive Adaptations

Data Loss Prevention (DLP)

DLP technologies have received renewed investment, though challenges remain:

• Effective DLP requires understanding what data you have and where it lives
• Cloud-based DLP can inspect some exfiltration channels but not all
• Network-based DLP is less effective against encrypted exfiltration
• Endpoint-based DLP requires deployment and management across all systems

Network Segmentation and Zero Trust

Limiting attacker lateral movement reduces both the scope of encryption and the volume of data accessible for exfiltration:

• Microsegmentation limits what each compromised system can access
• Zero trust architectures require continuous verification rather than perimeter-based trust
• Data classification and access controls ensure sensitive data isn't broadly accessible

Monitoring and Detection

Organizations have invested in detecting the pre-ransomware activity that precedes both encryption and exfiltration:

• Behavioral analytics identifying anomalous data access patterns
• Network traffic analysis detecting unusual outbound data flows
• Endpoint detection identifying credential harvesting and lateral movement
• Deception technology (honeypots, honey tokens) to detect attacker reconnaissance

How Safeguard.sh Helps

Double extortion ransomware transformed every software supply chain compromise into a potential data breach — not just for the compromised organization, but for every entity whose data flows through the affected systems.

Safeguard.sh addresses the supply chain dimension of this threat by providing comprehensive visibility into where your data-handling components live and what they depend on. The platform's SBOM management tracks the software supply chain that processes and stores your sensitive data, identifying which components are vulnerable to the exploitation techniques ransomware groups use for initial access.

By continuously monitoring your software supply chain for vulnerabilities and enforcing security policies across all components, Safeguard.sh helps you prevent the initial compromise that enables both encryption and data theft. In the double extortion era, stopping the attacker before they access your data is the only defense that fully works — and that starts with knowing every component in your supply chain.