Loading

Double extortion ransomware: what it is and how to respond

Table of Contents

Traditional ransomware locks up your data and demands payment for the key. You could refuse, restore from a clean backup, and walk away without paying. Double extortion closes that exit. Before encrypting anything, the attacker steals a copy of your sensitive data and then threatens to leak or sell it unless you pay, even if you can recover the files yourself.

While a clean backup brings your systems back online, it does nothing once your customer records or trade secrets are leaked. Beating double extortion takes defending against theft and encryption at the same time.

What is double extortion ransomware?

Double extortion ransomware is an attack that encrypts your data so you can't use it and steals a copy so the attacker can leak or sell it. From here, attackers combine two extortions: the first pressures you to pay for access, and the second pressures you to pay for silence. Modern ransomware double extortion campaigns run both plays at once, which is what makes them so effective.

Countering an attack that hits both fronts calls for ransomware resilience, a strategy that assumes an attack will land and is built to prevent, withstand, and recover from it while keeping the business running.

How a double extortion attack works

A double extortion attack unfolds in stages, and each one is a chance to catch it before it reaches the ransom note.

The attack with initial access. The attacker gets in through a phishing email, stolen credentials, or an unpatched system exposed to the internet. From there, they move to reconnaissance and lateral movement, mapping your network, escalating privileges, and locating the systems that hold your most valuable data. This stage is often slow and deliberate, sometimes stretching over weeks, giving detection tools a chance to flag the unusual activity.

Next, during data exfiltration, the attacker copies your sensitive data out to their own servers before encrypting anything. Traditional ransomware skips this step entirely. Here, monitoring for large or abnormal outbound transfers can expose the attack while you can still act on it.

Once copies are made, the attacker triggers encryption, locking your files and surfacing the ransom demand. By now, they hold your access and your data, so the demand carries a double threat. You pay to decrypt, and pay again to keep the stolen data from going public.

The earlier you interrupt this sequence, the less leverage the attacker ends up with. If an attack reaches the later stages, a dedicated incident response service can help you contain the damage and recover.

How to defend against double extortion ransomware

Each defense below covers a different stage of the attack you just walked through, from spotting sensitive data before it's stolen to keeping a clean copy when files get locked. Layered together, they're the foundation of strong cyber resilience services.

Data classification

You can't protect what you haven't identified. Data classification finds and labels your sensitive data by type and risk, so you know where your most valuable information lives. That knowledge lets you concentrate your strongest controls and closest monitoring on the data attackers want, rather than spreading protection thinly across everything. Cohesity's data classification uses machine learning to surface sensitive data automatically, even across large hybrid environments.

Data loss prevention

Data loss prevention watches how sensitive data moves and blocks it from leaving through unauthorized channels. This is what catches an attacker during exfiltration, when they're copying data out ahead of encryption. Flagging an unusual outbound transfer at that moment can shut the attack down before the leak threat ever forms. It works best as part of broader data security solutions that track access and movement.

Network traffic monitoring

The exfiltration stage leaves a footprint, and network traffic monitoring is how you spot it. By watching the flow of data across your network, monitoring tools catch the signs of theft in progress, like a workstation suddenly pushing large volumes of data to an unfamiliar external server or transfers happening at odd hours. 

These patterns rarely resemble normal business activity, which makes them a reliable early warning. Catching an abnormal transfer here can interrupt the attack during exfiltration, before the attacker has everything they need to make the second half of their demand credible.

Immutable Backups

An immutable backup can't be changed, encrypted, or deleted after it's written, even by someone using stolen admin credentials. That guarantees a clean restore point survives the attack, stripping the encryption of its power as a bargaining chip. Reliable data backup and recovery services let you bring systems back quickly from those protected copies, turning recovery into a routine restore.

How Cohesity addresses both sides of double extortion

The defenses above describe what double extortion protection requires. Cohesity delivers them on one platform, changing how they work together during an actual attack.

Because detection and backup live in the same system, the same anomaly signals that flag an attack also pinpoint which recovery points are clean. You're not scanning backups blindly after the fact or guessing which copy predates the intrusion. The platform tells you.

Where Cohesity goes further is recovery itself. Restoring straight into production is how organizations get hit twice, reintroducing the malware along with their data. Cohesity's clean room solves this by giving you an isolated environment to investigate the attack, confirm your data is free of threats, and trace how the attacker got in before anything touches production. You rebuild from a verified clean state and close the entry point in the same move, so the recovery doesn't hand the attacker a second opportunity.

To see how this fits your environment, explore Cohesity's ransomware data recovery solution and its incident response service.

Double extortion ransomware FAQs

How does double extortion ransomware differ from traditional ransomware?

Double extortion ransomware differs from traditional ransomware by adding data theft to encryption. Traditional ransomware only encrypts your files and demands payment for the decryption key. Double extortion steals a copy of your data first, then threatens to leak or sell it, which gives the attacker leverage even if you recover your files from backup.

Why is a double extortion ransomware attack dangerous?

A double extortion ransomware attack is dangerous because recovering from backup no longer ends the threat. Even after you restore your systems, the attacker still holds a copy of your stolen data and can leak it publicly. This exposes your organization to regulatory penalties, lawsuits, and lasting damage to customer trust, turning a recoverable outage into a permanent data breach.

Loading