Protecting Cloud Data from Double Extortion Ransomware Attacks

On top of just about any cybersecurity threat list is ransomware. Ransomware continues to plague businesses worldwide, and this trend is not showing any signs of slowing down. Ransomware continues to devastate organizations, even those who are seemingly prepared.

Ransomware gangs continue to evolve their tactics to profit even further from victimizing unsuspecting businesses with ransomware, even using “double extortion.”

What are the basics of the ransomware double extortion “business model?” What is this double extortion tactic? How can companies protect modern cloud SaaS data from falling victim to new ransomware threats?

The ransomware business evolution

Let’s key in on the business model used by ransomware gangs to make millions of dollars from major organizations. When ransomware first appeared on the scene, it was known as a single PC, single user type threat. Ransomware would lock up a victim’s files and demand a ransom payment to restore access.

Now, ransomware is a multi-billion dollar industry that is a high-profit, low-cost attack that is alarmingly successful. However, due to the successful beginnings and evolving business model, attackers have set their sights on much more lucrative enterprise targets, a change in tactic that has proven wildly successful.

Sophisticated ransomware attacks are rarely the result of a “lone wolf” actor. Instead, modern ransomware attacks are perpetrated by groups of individuals with different levels of involvement in the overall attack on an organization. This involvement may include the initial reconnaissance, providing the credentials to infiltrate the victim organization, exfiltrating data, and encrypting data.

The success and sophistication of today’s ransomware have led to Ransomware-as-a-Service (RaaS). With RaaS, even non-technical, amateur criminals can carry out a successful attack against a business, using the tools available and provided by ransomware gangs.

What is double extortion ransomware?

Double extortion ransomware is a cyberattack strategy where criminals both encrypt a victim’s data AND steal it before encryption, threatening to publicly leak the stolen information if the ransom isn’t paid.

Ransomware gangs are continually evolving the business model and making even more money from an attack. Previously, the playbook was straightforward:lock up their data, demand payment, provide a decryption key.

However, there has been a shift in how these operations work.

Rather than only locking up a victim organization’s data and demanding a ransom payment for regaining access to business-critical files, attackers are also exfiltrating sensitive data BEFORE encrypting the data. This activity serves two purposes.

It includes:

Preventing a victim organization from breaking off negotiations, especially if these have good backups of their data
It allows effectively carrying out “double extortion” on victims: pay to decrypt AND pay to prevent publication

As stated in the blog – How cyberattacks are changing according to Microsoft Digital Defense Report:

This shift is alarming because the old reactive stance—remove the threat, restore from backup, move on—no longer works. Even a perfect recovery leaves you facing the catastrophic damage of sensitive data leaked to the public internet.

That’s exactly what attackers are counting on. With these consequences looming, victims often conclude that paying the ransom is the cheaper option, even when they have backups ready to go.

Why does this work? Because leaked data triggers the same regulatory and legal consequences as any data breach. According to IBM’s Cost of a Data Breach Report 2025, the global average cost of a data breach dropped to $4.44 million—the first decline in five years, thanks largely to AI-powered defenses speeding up containment.

But don’t celebrate yet: in the United States, breach costs hit a record $10.22 million per incident, driven by stricter regulatory penalties and escalating detection costs. When you add potential GDPR fines, HIPAA penalties, and the near-inevitable class-action lawsuits, the financial exposure becomes staggering.

Understanding How Double Extortion Works

Double extortion attacks follow a predictable pattern, even if the execution varies by gang:

Phase 1: Getting In

Attackers gain initial access through phishing emails, exploited vulnerabilities (especially in VPNs and remote access tools), stolen credentials purchased from initial access brokers, or compromised third-party vendors. This often happens weeks or months before anyone notices anything going wrong.

Phase 2: Living Off the Land

Once inside, attackers don’t immediately deploy ransomware. They move quietly, mapping the network, escalating privileges, identifying where the valuable data lives, and locating backup systems they’ll need to disable later. Security teams call this “dwell time,” and it can last anywhere from days to months.

Phase 3: Data Theft

Before encrypting a single file, attackers exfiltrate sensitive data. They target customer databases, financial records, HR files, contracts, intellectual property; anything that would hurt, if published. Some groups steal terabytes of data, uploading it to their own servers over days or weeks.

Phase 4: Encryption

Only after the data is safely in their hands do attackers trigger the ransomware payload. They typically time this for maximum disruption, such as, Friday nights, holiday weekends, or during major business events.

Phase 5: The Shakedown

Victims receive ransom demands with a dual threat: pay to get the decryption key AND pay to prevent data publication. Many gangs operate “leak sites” on the dark web where they post stolen data from victims who refuse to pay, or sometimes, even those who do pay!

The entire process is designed to leave victims with no good options. Even organizations with solid backups and incident response face an ugly choice: pay up, or watch sensitive data go public.

Who Is Susceptible to Double Extortion Ransomware Attacks

The short answer would be EVERYONE! But some organizations make more attractive targets than others:

Data-Rich Industries

These industries top the list. Healthcare organizations hold patient records protected by HIPPA. If those are leaked, you’re facing regulatory fines plus lawsuits from every affected patient.

Law firms sit on confidential client information that could destroy cases, careers or reputations. Financial services companies have customer account data that’s both valuable to criminals and heavily regulated! If your business handles sensitive data that people trust you to protect, you’re a prime target.

Organizations with Deep Pockets

They attract plenty of attention. Attackers do their homework and research revenue, cyber insurance policies and calculate what a victim can realistically pay. A well-funded company facing a data leak scandal will often pay a seven-figure ransom rather than suffer eight figures in breach costs and reputation damages.

Small and Mid-Sized Businesses

They aren’t safe either. They often have weaker security than enterprises but still hold valuable customer data. Many lack dedicated security staff, proper backup strategies, or incident response plans, thus making them easy targets. Ransomware gangs increasingly target SMBs because they’re more likely to pay quickly and quietly.

Critical Infrastructure and Public Sector

These organizations face unique pressure. Hospitals can’t afford downtime when lives are at stake. Schools hold student data protected by FERPA. Municipalities running essential services face public outrage if they can’t function. Attackers know the pain point of these victims and understand that they often can’t afford to say no.

Examples of Double Extortion Ransomware Attacks

Double extortion isn’t theoretical; it’s happening constantly. Here are some notable cases that show how these attacks play out in the real world:

Change Healthcare (2024)

In February 2024, the ALPHV/BlackCat gang hit Change Healthcare, a payment processor handling a large chunk of all US healthcare claims.

The attack crippled pharmacies, delayed patient care, and disrupted billing across the country for weeks. UnitedHealth, Change’s parent company, reportedly paid a $22 million ransom.

But here’s the double extortion twist: after ALPHV took the money and vanished, a second group (possibly disgruntled ALPHV affiliates) emerged claiming they still had the stolen data and demanded another payment. It was a brutal lesson that paying doesn’t guarantee anything.

MOVEit / Cl0p (2023)

The Cl0p ransomware gang exploited a zero-day vulnerability in MOVEit, a widely-used file transfer tool, and stole data from hundreds of organizations without even deploying encryption.

Pure extortion without any ransomware payload! Victims included the BBC, British Airways, Shell, and numerous US government agencies. Cl0p also posted stolen data on their leak site for organizations that refused to pay.

Medusa (2021–present)

Still active in 2025, Medusa has hit over 300 victims across healthcare, education, law, and manufacturing. They operate a leak site with countdown timers–pay before time runs out, or your data goes public. They even offer victims the option to pay extra just to delay the leak. This is simply gamified extortion.

Los Angeles Unified School District / Vice Society (2022)

Vice Society stole and leaked 500GB of sensitive data from LAUSD, the second-largest school district in the US. The data included student psychological assessments, Social Security numbers, and disciplinary records. When the district refused to pay, Vice Society dumped it all online, which affected many students and staff.

How to Prevent and Respond to Double Extortion Ransomware Attacks

Preventing double extortion requires a different mindset than traditional ransomware defense. Backups alone won’t save you. You would need to stop the attackers before they steal your data. Thus prevention is definitely better than cure:

Prepare a recovery plan

Organizations must realize it is not “if” but “when” a ransomware attack will happen. Every business is a potential ransomware victim.

Therefore, companies must deploy effective ransomware protection and prepare a recovery plan. It includes making it more difficult for attackers to access and disrupt business-critical systems. By doing this, it helps to reduce the monetary incentive for attackers.

Ransomware protection and recovery plans should include cloud SaaS environments, which increasingly house a large portion of business-critical data and services.

Implement Data Loss Prevention (DLP) to monitor for unusual data transfers such as large uploads, access from unexpected locations, bulk downloads outside business hours. Catching exfiltration in progress is your last chance to limit damage.

Limit the scope of damage

Using least-privilege principles and micro-segmentation in the network makes it harder for attackers to freely travel “east-west” across a compromised network to find valuable data.

It also helps to encrypt sensitive data at rest. If attackers exfiltrate encrypted files they can’t read, their leverage disappears entirely. Even if they threaten to leak your data, encrypted files are useless for extortion.

Organizations can also use encryption as a strong cybersecurity defense by encrypting any data at rest so that even if attackers can exfiltrate the data, it is encrypted. This step all but eliminates any leverage attackers have for double extortion.

Make it harder to get in

Organizations need to use good cybersecurity hygiene such as multi-factor authentication (MFA) to help prevent unauthorized access to business-critical systems, including cloud SaaS. For example, even if a user password is compromised, MFA prevents the attacker from having all the information needed for logging into the environment.

Other things such as vulnerability scanning, regular security patching, and remediating environment configurations according to desired state help bolster an organization’s cybersecurity posture.

Recommendations to protect against ransomware

Microsoft recommends a three-step approach to protecting against ransomware and extortion. These recommendations include:

Prepare a recovery plan
Limit the scope of damage
Make it harder to get in

1. Prepare a recovery plan

Organizations must realize it is not “if” but “when” a ransomware attack will happen. Every business is a potential ransomware victim. Therefore, companies must deploy effective ransomware protection and prepare a recovery plan. It includes making it more difficult for attackers to access and disrupt business-critical systems. By doing this, it helps to reduce the monetary incentive for attackers.

Ransomware protection and recovery plans should include cloud SaaS environments, which increasingly house a large portion of business-critical data and services.

2. Limit the scope of damage

By using cybersecurity best practices, organizations can limit the scope of damage resulting from ransomware extortion attacks. It includes establishing least-privilege access and zero-trust principles. Using least-privilege principles and micro-segmentation in the network makes it harder for attackers to freely travel “east-west” across a compromised network to find valuable data.

3. Make it harder to get in

Other things such as vulnerability scanning, regular security patching, and remediating environment configurations according to desired state help bolster an organization’s cybersecurity posture.

We’ve discussed ways to prevent ransomware attacks or at least protect and plan against it. But it is also important to understand the best ways to respond to such attacks:

Isolate and contain immediately

You should disconnect affected systems from the network to stop lateral movement and ongoing data exfiltration. Additionally, also disable compromised accounts.

It would be best to not reboot infected machines as some ransomware causes additional damage during restart. You should also put systems into hibernation to preserve forensic evidence.

Assess what was stolen

Before making any decisions, understand what data was accessed and exfiltrated. You should review logs, check DLP alerts, and identify which systems attackers touched.

This determines your regulatory notification obligations (GDPR, HIPAA, state breach laws) and your actual risk exposure. One must remember that not all data leaks are equally damaging

Engage experts and authorities

The first step should be to notify law enforcement—FBI, CISA, or your country’s cybersecurity agency. They may have intelligence on your attackers, known decryption keys, or ongoing investigations that could help.

Reporting also helps track ransomware trends and may assist future victims. It might also be advisable to bring in incident response specialists if you don’t have them in-house.

Evaluate your options carefully

As the Change Healthcare case showed, paying one ransom doesn’t guarantee attackers will delete stolen data, or that another group won’t appear demanding more ransom.

Thus don’t assume paying solves everything. Weigh the cost of the ransom against the realistic damage of a data leak, and involve legal counsel in the decision process.

Recover and restore

Always use verified, clean backups to restore systems. Scan restored data before reconnecting to the network. You should also change all credentials by assuming that attackers harvested passwords during their time inside the system.
For cloud SaaS environments, tools like SpinOne can restore data in minutes rather than weeks, drastically reducing downtime for applications.

Conduct a post-incident review

You should conduct a thorough post-mortem of the incident. Begin by determining how attackers got in and fix it using remediation tasks. Also, update your incident response plan based on what worked and what didn’t. Use the crisis to secure a budget for security improvements.

Proactive Ransomware Protection for cloud SaaS

Times have changed for businesses using traditional reactive cybersecurity for dealing with ransomware. Unfortunately, the results can be catastrophic when organizations simply react to ransomware by thinking they will just restore data. Ransomware gangs’ new double extortion tactic means businesses must proactively protect and stop ransomware before malicious processes exfiltrate data. Backups alone are not enough. However, your organization needs a good backup strategy and efficient tools.

book a SpinOne demo call to action with blue button

SpinOne provides proactive cybersecurity and data protection capabilities to organizations whose data is housed in cloud SaaS environments, such as Google Workspace™ Ransomware Protection and Office 365 Ransomware Protection.

SpinOne leverages next-generation artificial intelligence (AI) and machine learning (ML) to stop ransomware and automatically remediate the damage it causes.

How SpinOne Protects Against Ransomware:

Scans for signs of ransomware in the cloud SaaS environment
Automatically blocks the malicious ransomware process at the network level
Scans for files affected by the ransomware process
Automatically restores files affected by the ransomware
Automatically alerts administrators

Organizations can configure granular ransomware protection policies to control SpinOne cybersecurity automation in the cloud SaaS environment.Protecting SaaS data in cloud services like Google Workspace™, Microsoft 365, and Salesforce is your responsibility. Stay safe and schedule a demo here.

Share this article

Was this helpful?

What Is Double Extortion Ransomware? A Complete Explanation