Skip to Content
Threats and Attacks

What is double extortion?

Double extortion is the ransomware tactic in which the criminal steals a company's data before encrypting it and then makes two threats at once: keep the files locked and publicly leak what was stolen. It is criminals' answer to backups, because even a company that can restore its own files still faces the threat of the leak.

Zamak TechnologiesUpdated on July 10, 2026

How double extortion works

Double extortion adds a silent step to a ransomware attack, stealing the data before the encryption. The attack usually follows four stages.

1

Entry and reconnaissance

The attacker gets in through a phishing email, an exposed remote access or a leaked credential, and maps where the most valuable data sits.

2

Data theft

Before locking anything, they copy the sensitive files out: contracts, customer data, financial information. This is the stage double extortion adds.

3

Encryption

Only then does the ransomware scramble the files and, when it reaches them, the connected backups, bringing systems to a halt.

4

A double demand

Two demands appear: one for the key that returns the files and one for silence about the stolen data, with a deadline and a leak site waiting to apply pressure.

Source: Zscaler ThreatLabz and N-able Cyber Encyclopedia.

Variations of extortion

  • Double extortion Steals the data and encrypts the systems. The company is charged twice: to get back to work and to keep the data from leaking.
  • Triple extortion Adds a third layer of pressure, such as a denial-of-service attack or direct contact with the victim's customers, partners and the press.
  • Encryption-less extortion The criminal steals the data and threatens to release it without even encrypting. It is faster and stealthier, and it is on the rise.

Why double extortion changes the game

+92.7%
increase in the volume of stolen data in one year (Zscaler ThreatLabz 2025)
238.5 TB
of data exfiltrated from just 10 ransomware families (Zscaler ThreatLabz 2025)
+70.1%
increase in public extortion cases on leak sites (Zscaler ThreatLabz 2025)

Double extortion disarms the most reliable defense against ransomware: backups. Restoring the files ends the operational downtime, but it does not stop the leak of what was already stolen. And the theft has become the center of the attack. According to Zscaler (ThreatLabz 2025), the volume of exfiltrated data grew 92.7% in a year, with 238.5 TB stolen from just ten ransomware families, and public extortion cases on leak sites rose 70.1%. Some groups no longer even encrypt: they steal and threaten to publish, because the pressure of the leak alone is usually enough. For the business, the damage now includes the exposure of regulated data, broken customer trust and legal risk, everything the backup, on its own, does not cover.

How to protect against double extortion

Because the theft happens before the encryption, defense has to start well before the ransom, in the order that reduces risk the most:

  1. Stop the theft before it happensAdvanced endpoint defense and monitoring of outbound data detect exfiltration while it is underway, when it can still be contained.
  2. Isolated, immutable, tested backupSolves the encryption half: the company gets back to work without paying for the key, even if the leak remains a separate threat.
  3. A second identity checkBeyond the password, on access and email: it blocks the leaked credential that opens the door to the attack.
  4. Network segmentationLimits lateral movement, so a single compromised device does not grant access to all the data at once.
  5. Leak monitoringWatching the dark web and leak sites quickly reveals whether the company's data has been stolen or advertised.
  6. An incident response planWho does what in the first hours, including legal notification and notifying the people the data belongs to, defined before it is needed.

In practice

A backup protects against encryption, not the leak. That is why defending against double extortion starts with stopping the theft of the data, not just being able to restore it.

How Zamak handles double extortion

Zamak Technologies handles double extortion on both halves of the attack: helping stop the theft, with managed Cybersecurity across endpoint, email and identity, and answering for the return of your operations, with Continuity built on isolated backup and tested recovery. A good starting point is the ransomware readiness diagnostic, which shows in a few minutes where your company is exposed to both the theft and the downtime.

Frequently asked questions about double extortion

What is the difference between ransomware and double extortion?
Classic ransomware encrypts the files and charges for the key. Double extortion adds the theft of the data before the encryption and a second threat: to leak what was stolen. Today data theft is so central that some groups no longer even encrypt.
If I have a backup, am I protected against double extortion?
The backup protects half the problem. It returns the files without paying for the key, but it does not stop the stolen data from being leaked. That is why complete defense also has to stop the theft, not just enable recovery.
What is triple extortion?
It is double extortion with a third layer of pressure: a denial-of-service attack that takes systems down, or direct contact with the victim's customers, partners and the press to force payment.
Does paying the ransom guarantee the data will not leak?
No. Paying gives no guarantee that the stolen copies will be deleted, and it funds new attacks. There are victims who paid and had their data leaked anyway.
What is encryption-less extortion?
It is when the criminal only steals the data and threatens to release it, without encrypting anything. It is faster and harder to notice, and it is growing because the threat of the leak alone already pressures the victim to pay.
How do I know if my company's data has already been stolen?
Signs such as unusual outbound traffic, alerts from endpoint defense and data appearing on leak sites point to exfiltration. Monitoring leaks and the dark web helps find out before the damage spreads.

Related terms

Threats and Attacks
RansomwarePhishingBEC (email fraud)Social engineeringDouble extortionDark webMalwareDDoSVishingData breach
Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake