What is double extortion?
Double extortion is the ransomware tactic in which the criminal steals a company's data before encrypting it and then makes two threats at once: keep the files locked and publicly leak what was stolen. It is criminals' answer to backups, because even a company that can restore its own files still faces the threat of the leak.
How double extortion works
Double extortion adds a silent step to a ransomware attack, stealing the data before the encryption. The attack usually follows four stages.
Entry and reconnaissance
The attacker gets in through a phishing email, an exposed remote access or a leaked credential, and maps where the most valuable data sits.
Data theft
Before locking anything, they copy the sensitive files out: contracts, customer data, financial information. This is the stage double extortion adds.
Encryption
Only then does the ransomware scramble the files and, when it reaches them, the connected backups, bringing systems to a halt.
A double demand
Two demands appear: one for the key that returns the files and one for silence about the stolen data, with a deadline and a leak site waiting to apply pressure.
Source: Zscaler ThreatLabz and N-able Cyber Encyclopedia.
Variations of extortion
- Double extortion Steals the data and encrypts the systems. The company is charged twice: to get back to work and to keep the data from leaking.
- Triple extortion Adds a third layer of pressure, such as a denial-of-service attack or direct contact with the victim's customers, partners and the press.
- Encryption-less extortion The criminal steals the data and threatens to release it without even encrypting. It is faster and stealthier, and it is on the rise.
Why double extortion changes the game
Double extortion disarms the most reliable defense against ransomware: backups. Restoring the files ends the operational downtime, but it does not stop the leak of what was already stolen. And the theft has become the center of the attack. According to Zscaler (ThreatLabz 2025), the volume of exfiltrated data grew 92.7% in a year, with 238.5 TB stolen from just ten ransomware families, and public extortion cases on leak sites rose 70.1%. Some groups no longer even encrypt: they steal and threaten to publish, because the pressure of the leak alone is usually enough. For the business, the damage now includes the exposure of regulated data, broken customer trust and legal risk, everything the backup, on its own, does not cover.
How to protect against double extortion
Because the theft happens before the encryption, defense has to start well before the ransom, in the order that reduces risk the most:
- Stop the theft before it happensAdvanced endpoint defense and monitoring of outbound data detect exfiltration while it is underway, when it can still be contained.
- Isolated, immutable, tested backupSolves the encryption half: the company gets back to work without paying for the key, even if the leak remains a separate threat.
- A second identity checkBeyond the password, on access and email: it blocks the leaked credential that opens the door to the attack.
- Network segmentationLimits lateral movement, so a single compromised device does not grant access to all the data at once.
- Leak monitoringWatching the dark web and leak sites quickly reveals whether the company's data has been stolen or advertised.
- An incident response planWho does what in the first hours, including legal notification and notifying the people the data belongs to, defined before it is needed.
In practice
A backup protects against encryption, not the leak. That is why defending against double extortion starts with stopping the theft of the data, not just being able to restore it.
How Zamak handles double extortion
Zamak Technologies handles double extortion on both halves of the attack: helping stop the theft, with managed Cybersecurity across endpoint, email and identity, and answering for the return of your operations, with Continuity built on isolated backup and tested recovery. A good starting point is the ransomware readiness diagnostic, which shows in a few minutes where your company is exposed to both the theft and the downtime.