The rise of double extortion ransomware

Ransomware is a persistent, disruptive cyber threat that organizations of all sizes and types face daily. In recent years, its playbook has evolved in increasingly sophisticated ways.

What began as a straightforward business model – encrypting data and demanding payment for its return – has developed into a far more dangerous form of extortion. In the double extortion model, attackers not only lock victims out of their systems, but also steal sensitive data and threaten to publish it on so-called leak sites if a ransom is not paid.

This new approach has proven highly effective, letting cybercriminals double their leverage, increase their chances of a payout, and often sidestep regulatory or insurance barriers that might otherwise limit the victim’s willingness to negotiate.

This new approach has proven highly effective, letting cybercriminals double their leverage, increase their chances of a payout, and often sidestep regulatory or insurance barriers that might otherwise limit the victim’s willingness to negotiate.

As a result, double extortion is no longer a fringe tactic and has become the dominant ransomware approach across much of the threat landscape.

To get a sense of that landscape, ITPro spoke to Matt Hull, VP, head of Cyber Intelligence and Response at NCC Group, and trawled public reports. Protecting your organization has never been harder, but having as much information as possible is a good starting place.

The origins of double extortion ransomware

The double extortion model traces its roots back to around 2019, when a small number of groups began to experiment with a new method of increasing pressure on victims.

The most prominent of these was Maze, which pioneered the tactic of exfiltrating sensitive data before encrypting it – then threatening to release that data publicly unless the ransom was paid. This two-pronged approach turned what had previously been an operational disruption into a reputational crisis, dragging in regulators, clients, suppliers, and the press.

Maze’s innovation proved effective. Other groups soon followed suit, including REvil, DoppelPaymer, and NetWalker, each operating so-called leak sites where non-compliant victims were named and shamed.

By 2020 and 2021, double extortion had become standard operating procedure for many of the most active ransomware operations, marking a broader professionalization of the cybercrime ecosystem, with criminal gangs adopting strategies that mirrored enterprise IT.

How the extortion ransomware ecosystem fragmented

The rise of double extortion did not just influence attacker tactics – it reshaped the entire ransomware economy.

As early adopters like Maze and REvil demonstrated the commercial viability of combining encryption with data leaks, new players began to enter the market. Rather than operating as tightly controlled groups, many of these actors adopted a modular, service-based model that allowed for greater scale and resilience.

The result was the proliferation of ransomware as a service (RaaS), where core developers lease out their tools to affiliates who carry out the attacks, enabling even relatively low-skilled criminals to participate, offering a share of profits in exchange for successful intrusions.

Over time, the ecosystem became more fragmented and complex.

As Hull explains: “With access brokers, leak site operators, and affiliates specializing in different stages of the attack lifecycle, campaigns are more agile and scalable than before. This modular approach has made disruption more complex and attribution harder.”

This industrialized model has made it more difficult for law enforcement to act decisively. Targeting a single affiliate does little to slow down operations when tooling, infrastructure, and monetisation are all provided by third parties.

A tactical evolution: from theft to pressure

“Since 2022, we’ve seen double extortion tactics evolve beyond simple data theft and encryption,” says Hull. “Threat actors are becoming more selective in what they steal – focusing on highly sensitive or reputationally damaging material including PII, financial data, user credentials and authentication data and so on – and combining this with secondary pressure tactics, such as contacting customers or suppliers to amplify the impact.”

This added layer of coercion significantly increases the pressure on victims, turning cyber attacks into multifaceted crises. Rather than simply locking systems and threatening to publish stolen data, attackers may now notify affected third parties directly – a tactic seen in recent campaigns targeting legal, healthcare, and retail sectors.

Sophos reports that in 2025, 28% of organizations that had data encrypted in ransomware attacks also had data stolen. The report’s authors noted that double extortion attacks were more common against larger firms and posited data from larger organizations is more of an incentive to hackers. It’s hard to confirm this, however, as smaller firms could also lack the resources to account for stolen data.

The trend is also evident in campaigns like those carried out by the Akira and Lynx ransomware groups, which use stolen credentials, VPN vulnerabilities, and defense evasion to steal data in addition to encrypting it.

Top targets for double extortion ransomware

While ransomware once focused heavily on large enterprises with deep pockets, today’s double extortion campaigns span a much broader range of targets.

“There’s a clear trend towards broader victim profiles,” says Hull. “While some ransomware groups continue to pursue large enterprises, others increasingly target smaller and mid-sized organisations, particularly where defenses are less mature, or external attack surfaces are poorly managed.”

“With the rise of ransomware-as-a-service, it’s easier for new or lower-skilled actors to target SMEs. In the UK, we’ve seen impactful incidents in sectors like local government, healthcare, and more recently retail.

“So, while it’s not exclusively smaller businesses, they are certainly more exposed than they were a few years ago, especially considering the low morals of the criminals operating in cyberspace.”

A hybrid and ideological shift

In 2026, ransomware campaigns are no longer just about money. Groups like DragonForce and FunkSec increasingly blend financial extortion with ideological or political narratives.

“The recent activity by groups like DragonForce and FunkSec suggests a shift towards more hybrid operations, where traditional financially motivated tactics are layered with political or ideological narratives,” says Hull. “These groups also seem to be more ‘media-savvy’, framing attacks in ways that seem to blur the line between cybercrime and activism.”

FunkSec has gained attention as one of the first AI-enabled ransomware groups. While AI hasn’t changed the mechanics of ransomware delivery, it is helping attackers with phishing and targeting. “At the moment,” Hull notes, “AI appears more influential on the defensive side, particularly in detection, triage, and response.”

How organizations can fight back

As ransomware tactics have evolved, many organizations – particularly in finance, healthcare, and critical infrastructure – have improved their counter-measures.

“Many UK organizations have responded by maturing their defensive posture,” says Hull, though he notes that progress varies. “An organization's maturity in cyber security is highly dependent on factors such as budgets and regulatory requirements.”

According to Hull, foundational weaknesses persist: poor asset management, weak segmentation, and inconsistent credential hygiene remain common across sectors, especially where regulatory pressure is lighter.

“Organizations can also benefit from attack surface management and continuous threat exposure testing, helping them stay ahead of adversaries by simulating real-world techniques and identifying control gaps before they’re exploited,” he says.

“Although it is appreciated that this isn’t for all organizations, some might lack the budget or are simply not large or mature enough to benefit from this type of activity.”

Ransomware’s evolution into a fragmented, scalable, and at times ideological threat has made traditional defences less effective on their own. The rise of double extortion ransomware – and in some cases, triple extortion ransomware – means organizations must prepare for operational, reputational, and regulatory fallout in parallel.

“We continue to recommend ‘getting the basics right’ and a focus on resilience not just prevention,” says Hull. The strategy includes technical controls, like identity management and exfiltration monitoring, but also organizational preparedness: from recovery plan rehearsals to staff training and supply chain reviews.

The age of simple encryption-based ransomware is over. As double extortion becomes the norm, and as attackers continue to adapt, organizations must do the same – not just to prevent intrusions, but to contain and recover from them quickly when they occur.