A ransomware tactic where attackers both encrypt victim data and exfiltrate it, threatening to publish or sell the stolen data on dark web leak sites if the ransom is not paid.
Double extortion emerged in late 2019 when the Maze ransomware group began stealing data before deploying encryption, then threatening to publish it if victims refused to pay. This tactic fundamentally changed the ransomware landscape because it eliminated the primary defense against ransomware: backups. Even organizations with perfect backup strategies and the ability to restore without paying still faced the threat of sensitive data — customer records, financial information, trade secrets, employee data — being published on the dark web.
Today, double extortion is the standard operating procedure for virtually all major ransomware groups. Many maintain dedicated leak sites where they list victims, publish sample data to prove their claims, and auction stolen data to the highest bidder. Some groups have evolved to triple extortion — adding DDoS attacks against victims or contacting the victim's customers and partners directly to apply additional pressure. This evolution means that ransomware defense must address both encryption and data loss prevention.
Double extortion requires organizations to rethink their ransomware defense strategy. Backups alone are no longer sufficient — you must also prevent data exfiltration. This means implementing Data Loss Prevention (DLP) controls, monitoring for large outbound data transfers, encrypting sensitive data at rest (so stolen data is useless without the key), segmenting networks to limit what data an attacker can access, and implementing robust access controls that restrict who can reach sensitive data stores. Detection of data staging and exfiltration during the pre-encryption phase is a critical window for stopping double extortion attacks.