Ransomware is no longer just about locking files. In 2025, 96% of ransomware attacks involved data exfiltration alongside encryption, turning every incident into a potential data breach. This shift — known as double extortion ransomware — has fundamentally rewritten the threat landscape for security teams. Backups alone no longer guarantee recovery, and the stakes now include regulatory penalties, reputational damage, and the permanent exposure of sensitive data on dark web leak sites. A record 7,458 to 7,960 victims were named on ransomware leak sites in 2025, a 53% year-over-year increase. This guide breaks down how double extortion works, who is behind it, and what security teams can do to detect and stop these attacks before data leaves the network.
Double extortion ransomware is a cyberattack model in which threat actors steal sensitive data before encrypting the victim's systems, then threaten to publish the stolen information on dark web leak sites unless a ransom is paid. Unlike traditional ransomware that relies solely on encryption, this approach creates two simultaneous leverage points: the inability to access encrypted systems and the risk of public data exposure.
The Maze ransomware group pioneered this tactic in late 2019 when they published a victim's stolen data after the organization refused to pay. Within months, nearly every major ransomware operation adopted the approach. By Q3 2025, BlackFog reported that 96% of ransomware attacks involved data exfiltration, making double extortion the dominant attack model rather than the exception.
This matters because backups — long considered the primary defense against ransomware — address only the encryption component. Even organizations that can fully restore their systems from immutable backups still face the threat of sensitive data being published, sold, or used in further attacks. Double extortion is not the same as data extortion alone; it specifically combines both encryption and data theft as parallel pressure mechanisms.
Comparison of ransomware extortion models
Triple extortion extends the model further by adding distributed denial-of-service (DDoS) attacks against the victim, pressuring third parties such as customers or partners, or threatening to report the victim to regulators. Some ransomware as a service operators now bundle DDoS capabilities as an affiliate service, making multi-extortion ransomware increasingly accessible.
The double extortion attack lifecycle follows a predictable sequence of stages. Understanding this progression is critical because each stage presents detection opportunities — particularly during the pre-encryption exfiltration phase.
T1566), exploitation of public-facing applications, or credentials purchased from initial access brokers (IABs). Cisco Talos documented the ToyMaker IAB, which sells network access directly to ransomware operators like CACTUS.T1021) to move laterally across the network, escalate privileges, and identify high-value data repositories.T1560.001) and exfiltrate it to cloud storage (T1567.002). Symantec/Broadcom research found that rclone appears in 57% of ransomware exfiltration incidents.T1486). Splunk/Sophos analysis places median dwell time at four to five days before encryption. However, the Unit 42 2026 Global Incident Response Report found the fastest quartile of attackers now reaches exfiltration in just 72 minutes.Current double extortion groups rely on a consistent set of data exfiltration tools. Knowing what to look for is the first step toward detection.
According to Symantec/Broadcom and Infosecurity Magazine reporting, the most common exfiltration tools include rclone (57% of incidents), MEGAsync, Cobalt Strike, FileZilla, WinSCP, curl, and WinRAR/7-Zip for archiving prior to transfer. The DFIR Report documented a LockBit case in which attackers used Cobalt Strike for command and control communications and rclone for bulk data exfiltration.
Detection indicators for these tools include unusual outbound data volumes to cloud storage providers, connections to known rclone or MEGAsync endpoints, DNS anomalies indicating data tunneling, and behavioral analytics flagging mass file access or staging patterns.
Ransomware leak sites — also called data leak sites (DLS) or shame sites — operate as dark web platforms where groups publish stolen data from victims who do not pay. From a defender's perspective, understanding how these sites work is essential for incident response planning.
The typical escalation follows a pattern. The threat actor first posts the victim's name and a description of the stolen data, often with a countdown timer. A small sample (usually 1% to 5% of stolen data) serves as proof. If the victim engages in negotiation, the timer may be extended. If the deadline passes without payment, data is published incrementally or in full.
Security teams should know that data appearing on a leak site confirms exfiltration occurred, which triggers data breach notification obligations under most regulatory frameworks. Monitoring leak sites through threat intelligence feeds provides early warning, but the goal is to detect and stop exfiltration before data ever reaches these platforms.
Double extortion groups range from well-resourced advanced persistent threat operations to loosely organized affiliate networks. Paying the ransom does not guarantee data safety — as several high-profile cases demonstrate.
Major double extortion ransomware groups active in 2025-2026
Change Healthcare / BlackCat ALPHV stands as the most instructive case. After paying $22 million in ransom, the BlackCat operators executed an exit scam, keeping the payment without providing the promised data deletion. A different affiliate group — RansomHub — then attempted secondary extortion using the same stolen data. Approximately 100 million individuals had their data compromised.
Qilin emerged as the most active group in 2025, with up to 1,034 attributed victims. Their attack on NHS blood testing provider Synnovis in June 2024 halted 90% of blood testing services and cancelled over 1,100 surgeries. The Covenant Health breach in May 2025 saw 852 GB exfiltrated and 478,188 patients affected.
Clop pioneered mass zero-day exploitation for data-only extortion. Their MOVEit Transfer campaign in 2023 impacted approximately 2,000 organizations and 17 million individuals — without ever deploying encryption.
The ransomware as a service model continues to lower the barrier to entry. DragonForce now offers a white-label franchise model with an 80/20 revenue split, while Medusa offers affiliates up to $1 million for initial access to high-value targets.
Double extortion ransomware statistics for 2024-2026 reveal a paradox: victim counts are surging while ransom payments are declining, signaling that more organizations are refusing to pay — but the attacks keep coming.
Double extortion ransomware by the numbers (2024-2026)
Chainalysis reported that total ransomware payments fell 35% from $1.25 billion in 2023 to $813.55 million in 2024, with the median payment declining 50% to $1 million in 2025 (Sophos). Yet the volume of attacks continues to climb. Between 45 and 84 newly observed ransomware and extortion groups emerged in 2025, pushing total active operations to as many as 134 distinct threat actors.
Healthcare remains the most heavily targeted sector for double extortion ransomware, with 700+ breaches in 2024-2025 exposing more than 275 million patient records. The United States accounts for approximately 48% of global victims (Check Point, January 2026).
Cyber insurance is rapidly adapting to the double extortion threat. Because double extortion inherently involves confirmed data exfiltration, it triggers both ransomware payment coverage and data breach response coverage — two areas where insurers are increasingly applying sub-limits rather than full policy coverage.
Insurers now commonly require specific security controls before issuing coverage, including EDR or XDR on all endpoints, immutable backups, and MFA across all privileged accounts. Roughly 76% of insurance losses come from ransomware, and 70% of brokers expect premium increases in 2026. The global cyber insurance market is projected to reach $22.5 billion in 2026. Organizations should review their policies to understand whether ransomware sub-limits apply separately from business interruption and data breach response limits.
Detecting double extortion requires shifting focus from encryption indicators — which arrive too late — to network-level exfiltration anomalies that emerge during the pre-encryption phase. The median four to five day dwell time before encryption provides a critical detection window, but the fastest quartile of attackers now exfiltrates data in 72 minutes. Organizations need sub-hour detection and response capabilities.
The Picus Red Report 2026 found that data exfiltration prevention rates collapsed from 9% to just 3%, underscoring a critical gap in most organizations' defenses.
Key detection strategies include:
Organize your double extortion prevention and detection controls across the NIST Cybersecurity Framework functions:
Common exfiltration tools and their detection signatures
Double extortion always constitutes a confirmed data breach because data exfiltration is inherent to the tactic. This triggers mandatory notification timelines that encryption-only ransomware may not. Security teams must plan for compliance obligations from the moment a double extortion attack is identified.
Regulatory notification requirements triggered by double extortion data breach
The MITRE ATT&CK framework maps directly to double extortion techniques: T1566 (Phishing), T1021 (Remote Services), T1560.001 (Archive via Utility), T1567.002 (Exfiltration to Cloud Storage), T1486 (Data Encrypted for Impact), and T1657 (Financial Theft). Aligning incident response playbooks to these technique IDs ensures coverage at each stage.
The FTC issued its second Congressional report on ransomware in February 2026, signaling increased federal regulatory attention. Organizations should assume that any ransomware incident involves data exfiltration and include breach notification procedures — not just system recovery — in their incident response plans.
The ransomware landscape is undergoing a fundamental shift. Increasingly, threat groups are skipping encryption entirely and relying solely on data theft for leverage — a trend known as data-only or encryption-less extortion.
The numbers are stark. The Picus Red Report 2026 found that T1486 (Data Encrypted for Impact) usage dropped 38% year-over-year. Arctic Wolf's 2026 Threat Report documented an 11x increase in data-only extortion — rising from 2% to 22% of incident response cases. Unit 42 confirmed a 15% decline in encryption-based extortion alongside accelerating exfiltration speeds.
Clop's MOVEit Transfer and Cleo campaigns proved this model at scale. By exploiting zero-day vulnerabilities in file transfer software, Clop stole data from approximately 2,000 organizations without ever deploying encryption. The result was the same: pay or your data gets published.
This evolution has direct implications for defensive strategy. Backup-centric defenses become irrelevant when encryption is not part of the attack. Network traffic analysis and exfiltration detection become the primary line of defense. Triple extortion — which adds DDoS attacks, third-party pressure, or regulatory reporting threats — further increases the complexity of multi-extortion ransomware responses.
The security industry is converging on a detection-first approach to double extortion defense. Current solutions span network detection and response (NDR), extended detection and response (XDR), identity threat detection and response, behavioral analytics, data loss prevention, and SIEM correlation.
Organizations evaluating solutions should prioritize real-time network visibility across hybrid environments, automated exfiltration detection, identity-based threat correlation, and sub-hour detection SLAs. Managed detection and response (MDR) services can supplement in-house SOC operations for organizations that lack 24/7 coverage. AI-driven detection of exfiltration patterns and the convergence of NDR with identity analytics represent the most promising emerging trends. Signal-based approaches that reduce alert noise allow security teams to focus on the behaviors that matter — lateral movement, data staging, and exfiltration — rather than drowning in low-fidelity alerts.
Double extortion reinforces the assume-compromise philosophy at the core of Vectra AI's approach. Since attackers will get in, the critical question is how quickly security teams can find them — particularly during the lateral movement and data staging phases that precede both exfiltration and encryption. Vectra AI's Attack Signal Intelligence focuses on identifying attacker behaviors across the modern network — on-premises, cloud, identity, and SaaS environments — rather than relying solely on prevention. Independent validation shows this approach reduces mean time to detect threats by over 50% (IDC) and cuts alert noise by up to 99% (Globe Telecom), enabling security teams to act within the critical detection window before data is lost.
Double extortion ransomware has become the dominant cyberattack model, transforming every ransomware incident into a potential data breach with regulatory, financial, and reputational consequences. The 96% data exfiltration rate, shrinking detection windows, and the shift toward encryption-less extortion all point to the same conclusion: organizations cannot rely on prevention and backups alone.
The most effective defense combines network-level visibility to catch exfiltration in progress, identity-focused detection to identify compromised credentials, and behavioral analytics to flag attacker behavior during the lateral movement and data staging phases. With the fastest attackers now exfiltrating data in 72 minutes, sub-hour detection and response capabilities are no longer optional.
Security teams that align their detection strategies to the double extortion lifecycle — focusing on the critical pre-encryption window — give themselves the best chance of stopping these attacks before data is lost and the leverage shifts to the attacker.
Explore how Vectra AI detects and stops ransomware threats across your hybrid environment.
Double extortion is a ransomware tactic where attackers steal sensitive data before encrypting systems, creating two simultaneous pressure points against the victim. The organization faces permanent data loss from encryption and public exposure of stolen information on dark web leak sites. Traditional backup-only defenses address only the encryption component, leaving the data exposure threat unresolved. With 96% of ransomware attacks now involving data exfiltration (BlackFog, Q3 2025), double extortion has become the dominant ransomware model. Security teams should assume every ransomware incident includes data theft and plan their incident response accordingly, including breach notification procedures alongside system recovery.
The attack follows a six-stage lifecycle. Attackers first gain initial access through phishing, vulnerability exploitation, or credentials purchased from initial access brokers. They then move laterally across the network to identify and access high-value data. The next phase involves staging data — often compressing it with tools like WinRAR or 7-Zip — before exfiltrating it to attacker-controlled infrastructure using tools such as rclone, which appears in 57% of incidents (Symantec/Broadcom). After exfiltration, encryption is deployed. The attackers then issue a ransom demand leveraging both the encrypted systems and the threat of data publication. If the victim does not pay, data is published on a dedicated dark web leak site.
Single extortion relies solely on encrypting systems, demanding payment for a decryption key. If the victim has reliable backups, they can recover without paying. Double extortion adds a data theft component, meaning the attacker holds a copy of sensitive data and threatens to publish it regardless of whether the victim can restore encrypted systems. This fundamentally changes the risk calculation — even organizations with excellent backup and recovery capabilities face regulatory, legal, and reputational consequences from data exposure. Triple extortion further escalates by adding DDoS attacks, pressuring third parties, or threatening to report the victim to regulators.
Backups protect against the encryption component but not against data exposure. Since the overwhelming majority of ransomware attacks now include data exfiltration, restoring from backups resolves system availability but does not prevent stolen data from being published, sold, or used for secondary extortion. Organizations need a layered defense that combines immutable backups for recovery with network-level exfiltration detection to catch data theft in progress. Network detection and response, behavioral analytics, and identity threat detection provide the visibility needed to identify attackers during the lateral movement and data staging phases that precede exfiltration.
Stolen data is typically published on the threat actor's leak site after a deadline expires, often in stages to increase pressure. However, paying does not guarantee safety either. The Change Healthcare incident demonstrated this clearly — after a $22 million payment, the BlackCat/ALPHV operators executed an exit scam, and a separate affiliate group (RansomHub) attempted secondary extortion using the same data. Chainalysis data shows ransomware payments declined 35% in 2024, indicating more organizations are refusing to pay and instead focusing on detection, containment, and recovery.
The Maze ransomware group is widely credited with pioneering double extortion in late 2019. After a victim refused to pay the ransom, Maze published the organization's stolen data publicly — establishing the model that the vast majority of ransomware groups now follow. Before Maze, ransomware operators relied exclusively on encryption. The success of Maze's approach led to rapid adoption across the threat landscape, with groups like REvil, DoppelPaymer, and Conti quickly building their own leak site infrastructure. By 2025, double extortion had become the default operational model for ransomware.
Healthcare is the most heavily targeted sector, with 700+ breaches in 2024-2025 exposing more than 275 million patient records. The combination of sensitive patient data, regulatory obligations (HIPAA), and operational urgency makes healthcare organizations particularly vulnerable to extortion pressure. Other primary targets include manufacturing, critical infrastructure (prompting a CISA/FBI joint advisory on Medusa), financial services, telecommunications, education, and government. The United States accounts for approximately 48% of victims globally (Check Point, January 2026), with Western Europe (UK, Germany, Italy, Spain) and the Asia-Pacific region emerging as growing target zones.