Home > Cybersecurity glossary > Double extortion 🔴 Attack

Double extortion 🔴 Attack

Double extortion is a technique used in attacks by ransomware (ransomware), where cybercriminals combine two forms of blackmail to put pressure on the victim:

  1. Encryption data As in a classic ransomware attack, the victim's files are encrypted, making it impossible to access them without a decryption key, which the attackers promise to provide in exchange for a ransom.
  2. Theft and threat of disclosure Before or during encryption, attackers can exfiltrate (steal) the sensitive data. They then threaten to publish them on the Internet (or sell them) if the victim does not pay the ransom - even if the victim can restore the data via backups.

 


🎯 Objective of double extortion

 

Increase psychological pressure on the victim and increase your chances of paymentespecially if the data concerned is confidential, legal, commercial or personal.

  • Maximise pressure on the victim to obtain payment
  • Increase the chances of financial success of the attack
  • Exploit companies' sensitivity to confidentiality (reputation), secrets industrialists, RGPD...)

👉 Examples

Cybercrime groups known :

  • Maze the first ransomware to use this strategy (2019).
  • REvil The following is a summary of the information: exfiltrated and published data from a legal consultancy firm.
  • Conti For more information: internal documents from companies refusing to pay have been published.

 

For example, a hospital that is the victim of an attack may be faced with the loss of access to its systems (first extortion). and the threat of having their patients' medical records exposed online (second extortion)

 


📈 Recent developments

Double extortion has evolved into more complex forms, such as triple extortion, where attackers add attacks by denial of service (DDoS) to increase the pressure on victims. Groups such as BlackCat have adopted these methods to maximise the impact of their attacks.

  • Appearance of triple extortion (leakage + encryption + DDoS).
  • Collaboration between cybercriminal groups to increase pressure.
  • Increasing use of 'leak' sites on the dark web.


📊 Recent figures for France and worldwide

  • In 2024, almost 80 % of ransomware used double extortion.

  • The average cost of a double extortion incident reaches 6.75 million euros.

  • In France, theANSSI reports a 50 % increase in cases compared with 2023.

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity