What is Double Extortion Ransomware?

Double extortion is an advanced ransomware tactic where attackers not only encrypt a victim's data to demand a ransom for decryption but also steal the data and threaten to release or sell it publicly if the ransom isn’t paid. Talk about salt in a wound, this one is the worst. 

This technique significantly raises the stakes for victims, putting their sensitive information, reputation, and even regulatory compliance at risk.

How Double Extortion Works

1. Data Encryption: The ransomware encrypts critical files, making them inaccessible to the victim.
2. Data Exfiltration: Attackers copy sensitive data before encrypting it.
3. Ransom Demand: The victim receives a ransom note demanding payment for the decryption key.
4. Extortion Threat: If the ransom isn’t paid, attackers threaten to publish or sell the stolen data, exposing the victim to regulatory fines, reputational damage, and operational disruptions.

Why It’s Dangerous

• Increased Pressure: The dual threat creates more urgency for victims to pay the ransom.
• Wider Impact: Even with backups or robust disaster recovery plans, the threat of data exposure adds a new layer of risk.
• Regulatory Consequences: For organizations bound by data protection laws like GDPR or CCPA, a data breach can lead to hefty fines.

Notable Examples

FunkSec Ransomware Group (2025): An AI-driven ransomware group named FunkSec emerged in late 2024, targeting over 85 victims globally. They employ double extortion tactics, combining elements of hacktivism and cybercrime, and demand relatively low ransoms.

Play Ransomware Attacks (2025): The Play ransomware group has been actively launching attacks, posing significant threats to various organizations. Their operations involve double extortion strategies, where they encrypt data and threaten to leak it unless the ransom is paid.

BlackSuit Ransomware Attack on CDK Global (2024): The BlackSuit hacker group targeted CDK Global, a software provider for car dealerships across the U.S. This attack disrupted operations, forcing many dealerships to process transactions manually. BlackSuit employs double extortion methods, encrypting data and threatening to publish sensitive information if ransoms are not met.

Garmin (2020): Attackers encrypted systems and threatened to leak stolen data, reportedly securing a multimillion-dollar ransom.

Colonial Pipeline (2021): While ransomware disrupted operations, attackers also stole data as part of their extortion strategy.

Preventing Double Extortion

1. Strengthen Endpoint Security: Protect devices against unauthorized access and malware.
2. Adopt Zero-Trust Principles: Limit access to sensitive data and systems.
3. Regular Backups: Ensure encrypted, offline backups to recover data without paying ransom.
4. Employee Training: Educate employees about phishing, smishing, and other social engineering tactics used to deliver ransomware.
5. Incident Response Plans: Develop and test plans that account for double extortion scenarios.

Double extortion highlights the evolving sophistication of ransomware threats, underscoring the need for both technical defenses and human-centered strategies to mitigate risk.

For more information on how ransomware affects your people and how to help them stay safe read on here: Ransomware and the Human Element