Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Cybersecurity
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
What is Double Extortion Ransomware? And How to Avoid It
Last updated
November 13, 2025
{x} minute read

What is Double Extortion Ransomware? And How to Avoid It

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Axel Sukianto
Marketing Director
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

As the internet grows, so does the sophistication and capabilities of cyber attacks. Cybercriminals constantly develop new ways to exploit even the most complex networks and servers. One of the newer types of attacks caused major headlines in 2020 and continues to be a force to be reckoned with for even the largest companies and organizations. It's called a double extortion ransomware attack.

Becoming a victim of these vicious attacks can lead to devastating consequences. Ransomware threats are real, making security awareness a top priority. This is your guide to what double extortion ransomware attacks are, how they happen, achieving cybersecurity, and what you can do prevent becoming a victim.

What is Ransomware?

Ransomware is a hostage situation. It is a type of malicious software, which is also called malware, that steals data, encrypts it, and then denies the rightful owners access until the ransom demanded by the attacker is paid. The ransom amount varies greatly and can be anywhere from hundreds to millions of dollars. In most cases, payment is required in a cryptocurrency such as Bitcoin, Ethereum, Tether, etc. The attacker sets a deadline that the victim is expected to meet.

It is pertinent to understand that it may not just be compromised data and files. Users may be locked out of and denied access to parts of or their entire system.

Learn more about ransomware.

What is a Double Extortion Ransomware Attack?

A double extortion ransomware attack takes the traditional ransomware attack to the next level and ups the ante. The cyber attacker exploits the victim's data, files, or even the entire server. The information is encrypted, and a ransom is demanded. The method of encrypting files as a part of carrying out a ransomware attack is also known as DoppelPaymer. Up until now, this is all part of a typical ransomware attack.

However, in double extortion, attackers take it a step further and threaten to publish the sensitive data on the dark web, sell the data to the highest bidder, or destroy it if the ransom isn't paid by the deadline. Backups are great for restoring data but will not mitigate the damage of stolen information getting out.

The point is that the criminal hacker has additional leverage to ensure payment is received. Attorneys, healthcare facilities, and schools, just to name a few, store mass amounts of sensitive data that could devastate the institution and the individuals whose information has been compromised. This is what makes double extortion ransomware attacks so effective and dangerous.

How Do Cyber Attackers Gain Access?

Attackers use ransomware to gain access to servers in a variety of ways, including:

  • Phishing attacks - Ransomware operators send fraudulent messages that mimic those from a company's executives, asking for sensitive information. The idea is that recipients will believe the message came from one of their supervisors and willingly release the information.

    Learn more about phishing attacks.
  • Malware - Attackers deploy malware on a server with the intent of disrupting the network to obtain unauthorized access.

    Learn more about malware.
  • Stolen credentials - Attackers who steal login credentials can carry out a double extortion attack from within the system.

Three of the most popular double extortion ransomware include:

  1. Netwalker Ransomware - This is a malware designed specifically for Windows Operating Systems. The software encrypts and moves all of the data it finds. The victim then receives a ransom demand that must be paid in order to restore the data.
  2. Egregor Ransomware - This type of ransomware is a mix of Maze ransomware and Sekhmet ransomware. It is carried out by a ransomware group known as the Egregor group. Their method is to breach sensitive data, encrypt it, demand a ransom that must be paid within three days, and publish some of the breached data on the dark web to a data leak site as proof that they have it. There are plenty of forums and sites available for this type of criminal activity. In 2020, a ransomware incident involving this ruthless group successfully attacked Barnes & Noble, one of North America's most recognized book chains.
  3. Ransomware as a Service (Raas) - This is a type of ransomware that is a subscription-based model for affiliates. These affiliates use a set of ransom tools that have already been developed to carry out attacks and, once successful, earn a percentage of the ransom payment.
  4. Sodinokibi ransomware - Also known as REvil (Ransomware Evil), this was first discovered in 2019 and involves a highly evolved ransomware that encrypts files and then deletes the message request for ransom.
  5. Conti ransomware - This type of attack is known for its speed of encryption, which makes it very dangerous because it can spread to and infect other systems very quickly.

This is a nonexclusive list. There are many examples of ransomware, as the methods by which cybercriminals carry out these attacks continue to evolve and become more sophisticated. New techniques are always being developed as technology advances. Ransomware attacks are carried out by individuals, and ransomware gangs.

Double Extortion Ransomware Attack Sequence

The following is the typical sequence that cyber attackers take when carrying out a double extortion ransomware attack:

  1. The threat actor gains initial access to the victim's system by any means necessary.
  2. The infiltrator then surveys the network to find all of the sensitive data.
  3. The attacker or ransomware gang then exfiltrates the data.
  4. The attacker's chosen ransomware is then deployed to the system.
  5. The data is encrypted.
  6. The victim is denied access to the data held hostage.
  7. Ransom is demanded, and the consequences are not paying are made clear.
  8. If the ransom is paid, the information should be given back and access granted.
  9. The information is leaked, destroyed, or sold if the ransom is not paid. This is even more devastating if you do not have backups of your data.

There Are No Guarantees Your Information Will Be Returned Safely

Cybercriminals do not play by an ethical set of rules. There are sure to be consequences if you do not pay the ransom. Threat actors do not care whose lives are ruined by the release of information. Hostage data will be released, destroyed, or sold without a second thought.

However, the same is true even if you do pay the ransom. There is still no guarantee that the information will not be leaked or access returned to you without harm. Many law authorities, including the FBI, strongly advise against paying the ransom.

Ideally, the attacker will provide full decryption of the stolen data. The bottom line is that there is no appealing outcome under a double extortion ransomware attack. This is why it is crucial to prevent these cyber attacks before they happen.

How to Prevent Double Extortion Ransomware Attacks

Double extortion ransomware attacks are extremely dangerous and costly with no guarantee of a successful outcome. To make matters worse, the number of attacks is continuously increasing and becoming more aggressive and malicious in nature. The good news is that you can take steps to help protect your company from double extortion ransomware attacks before they happen.

Zero-Trust Architecture

Your company should deploy a zero-trust policy when it comes to trust. Applications, websites, emails, and links should not be inherently trusted but instead, have to go through a rigorous authentication process before authorization is granted. This means three principles must be enacted, and they are:

  1. Reduce the size of the attack surface - Use a proxy-based brokered exchange to ensure users and the network's applications are invisible to the world wide web.
  2. Reduce the ability to move laterally - If hackers can't see the information, they can't steal it. So, properly hiding data from view reduces the chances that attackers will be able to move laterally through your servers, stealing more data and causing even more harm.
  3. Continuous monitoring - Analyze all incoming and outgoing traffic for threats of a data breach. This includes encrypted and unencrypted data.

Having an anti-trust approach to your network and servers reduces the chances of becoming a victim of double extortion ransomware attacks.

Learn more about zero-trust architecture.

Ensure Security Policies are Enforced Consistently

In larger companies, ensuring safety protocols and policies are being followed consistently can be difficult. However, it is worth the time and resources to ensure users take the appropriate security measures every time. The best way to do this is to implement a secure access service edge (SASE) architecture. This technology ensures that security policies are enforced no matter who is using the system and where they are.

Learn more about the SASE architecture.

Keep Security Software and Protocols Up-to-Date

Software that isn't up-to-date is the most vulnerable to cyberattacks. Security updates should always be made a priority. Your IT team needs to run regular scans to check for available updates and install them as soon as possible. Make sure you have the following in place:

Train Users

Thoroughly train users on double extortion ransomware attacks so that they understand what they are and the devastating effects they can have on the company or even individuals within the company. Employees need to know what to look for and steps they can take to prevent facilitating one of these attacks. Training should be mandatory for all new employees, with follow-up training required after a specified period of time (e.g., 3 years).

Deploy Protective Solutions

Taking preventative actions is undoubtedly effective but does not provide comprehensive protection against double extortion ransomware attacks. Even high-profile companies aren't immune to ransomware threats. Adopting reputable attack surface management software offers the utmost protection to your company's network. With a 360-degree view, you have a significantly better chance of identifying potential threats before they become full-blown attacks.

Learn a strategy for obfuscating ransomware attack attempts.

Implement an Attack Surface Management Solution

Continuous monitoring ensures real-time alerting of emerging cyber threats, helping to keep you protected against double extortion ransomware attacks.

UpGuard’s attack surface management software identifies exploitable vulnerabilities before they're discovered by ransomware attackers. Detailed reports allow you to see your current risk profile, areas of weakness, and other important cybersecurity insights.

Related posts

Learn more about the latest issues in cybersecurity.
Cybersecurity

Risk Automations: The Shift From Catch-Up to Command

Connect intelligence to system execution with Risk Automations, your new resolution layer for risk. Reduce remediation from hours to seconds - read more.
Revashni Moodley
Revashni Moodley
December 1, 2025
Cybersecurity

Shai-Hulud's True Lesson for CISOs: A Crisis of Communication

Shai-Hulud was driven by a communication crisis between security and engineering. Get a CISO's perspective on how to finally bridge this gap.
Phil Ross
Phil Ross
December 1, 2025
Cybersecurity

UpGuard’s Updated Cyber Risk Ratings

Discover UpGuard's updates to its cyber risk ratings, including enhanced risk categorization and an improved scoring algorithm.
Nicholas Sollitto
Nicholas Sollitto
July 2, 2025
Cybersecurity

Introducing UpGuard's New SIG Lite Questionnaire

Streamline your data collection and vendor risk assessments with UpGuard’s SIG Lite risk-mapped questionnaire.
Caitlin Postal
Caitlin Postal
June 26, 2025
Attack Surface Management

Typosquatting Explained with Real-World Examples

Learn more about typosquatting, what it is, how it works, and how to protect your business. Explore legal strategies, tools, and real-world examples here.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
Cybersecurity

Why is Cybersecurity Important?

If your business isn't concerned about cybersecurity, it's only a matter of time before you're an attack victim. Learn why cybersecurity is important.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
All posts