Double extortion ransomware

support Hero Banner

What Is Double Extortion Ransomware?

Double extortion ransomware is when cyberattackers demand two ransoms: payment to decrypt data and/or backups and payment not to leak the exfiltrated, or stolen, data. A double extortion ransomware attack is a Ransomware 3.0 scheme whereby bad actors encrypt production data and/or data backups, exfiltrate or steal it, then threaten to release or sell the data on the dark web unless the organization targeted agrees to pay ransom. Approximately 83% of ransomware attacks in the third quarter of 2021 employed this tactic. With the rise of cryptocurrencies such as Bitcoin and Ethereum, double extortion ransomware attacks have skyrocketed, because cybercriminals can remain anonymous while receiving payments through untraceable, easily collectible means.

Why Is Double Extortion Ransomware Important?

Because of its prevalence, double extortion ransomware is incredibly important for organizations to understand and protect against. Due to its sophistication, effectiveness, and exponentially increased blast radius, this tactic represented 83.3% of ransomware attacks in Q3 of 2021. Double extortion ransomware not only negatively impacts the organization having its data and/or backups encrypted, but also harms its customers, employees, and partners because potentially damaging or sensitive data (e.g., healthcare data or social security numbers) that the company was supposed to be safeguarding is publicly exposed on the web for anyone to see.

With the rise of cryptocurrencies, ransomware attacks have skyrocketed as these forms of criminality allow bad actors to work anonymously, while tactics such as double extortion ransomware attacks have helped to guarantee ransom payouts through the untraceable, easily collectible means of cryptocurrencies.

Is Ransomware Extortion?

Yes. Ransomware is unlawful access to another organization’s data for the purpose of extorting payment to get it back. By definition, extortion is “the practice of obtaining something, especially money, through force or threats.” Ransomware is malware used by cybercriminals to prevent an organization from accessing its systems, intellectual property, or customer data, and can include selling or leaking that data, thereby forcing organizations to pay attackers to regain access to their data or systems or to stop the sale or leaking of crucial information. Ransomware of any kind—in the form of one attack or a double extortion ransomware scheme—is extortion because it employs coercive tactics for financial gain.

What Are Two Most Common Types of Ransomware?

Two of the most common forms of ransomware used in ransomware and double extortion ransomware schemes are Crypto and Locker. Crypto ransomware encrypts an organization’s data so that it becomes unusable, with the perpetrator of the malware often demanding a ransom from the victimized organization in exchange for the decryption key. Locker ransomware locks an organization out of its data and systems entirely, with the perpetrator once again demanding a ransom from the victim in exchange for unlocking the data or systems.

What Is Cyber Extortion?

Cyber extortion refers to cybercrimes involving a bad actor—ranging from a malicious individual to a state-run syndicate—attacking an organization or threatening to do so unless a ransom payment is received. A ransomware attacker typically uses the tactics of cyber extortion for financial gain.

Is Cyber Extortion the Same as Ransomware?

No. Ransomware uses the technique of cyber extortion, but cyber extortion is not the same as ransomware. Ransomware is malware—the intrusive software that cybercriminals use to perpetrate a cyberattack—often involving encryption and data exfiltration to prevent an organization from accessing its data or systems until a payment is received. Cyber extortion is the online crime of holding an organization’s data or systems hostage until a payment is received, but it can be perpetrated through ransomware as well as the prevention of users accessing the services of an organization (i.e., a distributed denial of service attack).

What Is Data Extortion?

A data extortion ransomware hack is a cybercrime. It involves stealing and holding an organization’s critical data hostage until a payment is received. It is frequently perpetrated through the encryption of data and data backups and exfiltration, which is the threat of releasing that data to the public or selling it on the dark web unless the victimized organization pays the ransom.

What Is Exfiltration in Cybersecurity?

Exfiltration in cybersecurity refers to the unauthorized removal, or theft, of data by cybercriminals with the malicious intent of extorting or embarrassing an organization. Exfiltration is often part of a double extortion ransomware attack, whereby data is encrypted and then removed, allowing cybercriminals to demand ransom for both the decryption of stolen data and the promise that no data will be leaked.

How Is Ransomware Detected?

Ransomware can be detected in a variety of ways:

  • Through the disruption of an organization’s services or access to its data or systems
  • Through an organization’s antivirus programs which monitor for ransomware-related text strings
  • Through data security and management solutions that monitor for anomalies and alerts when one is discovered

Modern anti-ransomware services include machine learning and artificial intelligence (AI/ML) capabilities.

Is Ransomware as a Service Illegal?

Ransomware as a Service (RaaS) is a subscription-based service that allows cybercriminals to use a pre-existing ransomware tool to conduct cyberattacks. When organization’s pay ransom, the affiliate also gets paid a percentage. RaaS allows any user—regardless of technical skill—to perpetrate cybercrimes, and it is illegal.

Cohesity and Double Extortion Ransomware

Cohesity offers one of the most effective data security and management solutions to combat double extortion ransomware. Our modern data management platform counters the coercive technique with capabilities that prevent, detect, and respond to ransomware and cybercriminals.

Data managed by Cohesity is stored in the immutable file system SpanFS, preventing bad actors, including insiders with malicious intent, from accessing, encrypting, replicating, or exfiltrating this data. Cohesity Helios detects anomalies and notifies IT staff of any variants through continuous and automatic monitoring using AI/ML. And finally, Cohesity offers rapid recovery, including near instant mass restore, in the event of a disaster, ensuring that organizations can return to normal operations as swiftly as possible.

You may also like


Countering the Evolving Threat of Ransomware

Learn more
esg thumbnail
Buyer's Guide

Ransomware readiness: An in‑depth evaluation guide

Learn more
Solution Brief

Counter ransomware attacks with Cohesity

Learn more
Cohesity Blog Hero Ransomware

Guarding Against Ransomware Requires More Than Just Detection

Learn more

Why Legacy Backup Is Ransomware’s Hottest Target

Learn more
Backup and Data Governance Blog Hero

Backup and DataGovernance

Learn more
Icon ionic ios-globe

You are now leaving the German section of and come to an English section of the site. Please click if you want to continue.

Don't show this warning again

Icon ionic ios-globe

You are now leaving the German section of and come to an English section of the site. Please click if you want to continue.

Don't show this warning again