Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about double extortion ransomware?

Teams often treat double extortion as a backup problem when it is also a data movement and access problem. If attackers can harvest credentials, access sensitive shares, and exfiltrate data quietly, backups may stop encryption impact but not leak pressure. Detection of unusual outbound transfer is therefore as important as recovery planning.

Why This Matters for Security Teams

Double extortion changes the defender’s problem from recovery alone to breach containment plus recovery. The first failure is usually assuming that backups solve the incident if encryption is reversed. The second is missing the quieter phase where attackers enumerate data, move laterally, and stage exfiltration before the ransom note appears. Guidance from the ENISA Threat Landscape continues to emphasise that modern ransomware is tied to broader intrusion activity, not just file encryption.

That distinction matters because the business impact expands once sensitive data is copied out. Even a perfect restore does not eliminate notification duties, regulatory exposure, customer trust damage, or follow-on abuse of stolen credentials and session tokens. Security teams often over-index on backup integrity, then under-invest in identity hardening, segmentation, and egress visibility. The result is a response plan that can restore availability but cannot answer what was accessed, what was removed, or how far the attacker moved. In practice, many security teams encounter double extortion only after exfiltration has already been completed, rather than through intentional detection of suspicious data movement.

How It Works in Practice

Operationally, double extortion usually unfolds in stages. Attackers gain access through phishing, exposed remote services, stolen credentials, or third-party compromise. Once inside, they escalate privilege, discover high-value data locations, and stage archives for outbound transfer. Encryption may happen late in the intrusion or not at all, depending on whether the primary goal is disruption, theft, or both. That is why response needs to combine identity controls, network monitoring, and data classification rather than relying on one control family.

Security teams that handle this well typically focus on four linked areas:

  • Restricting privilege so stolen accounts cannot reach broad file stores, admin tools, or backup systems.
  • Watching for unusual outbound traffic patterns, including rare destinations, large compressed transfers, and off-hours movement.
  • Separating sensitive data sets so one compromised endpoint does not expose an entire business function.
  • Correlating endpoint, identity, and network events so lateral movement and staging activity are visible before encryption starts.

From a control perspective, this aligns with the CISA StopRansomware guidance on resilience and containment, but teams should also treat identity telemetry as a first-class signal. Stolen credentials and session abuse often make the difference between a noisy intrusion and a successful extortion event. Logging alone is not enough unless alerts are tuned to identify anomalous access to file shares, backup consoles, and archive tools. These controls tend to break down in flat networks with weak segmentation and broad service account access because the attacker can stage and export data without tripping a meaningful boundary.

Common Variations and Edge Cases

Tighter containment often increases operational overhead, requiring organisations to balance rapid recovery against reduced user and administrator convenience. That tradeoff becomes more visible in environments with large distributed file systems, cloud storage sprawl, or heavy third-party access.

There is no universal standard for what counts as sufficient exfiltration monitoring in every environment. Current guidance suggests the threshold should be driven by data sensitivity and abuse potential, not by a single transfer size or bandwidth rule. High-volume legitimate workflows, such as backups, analytics pipelines, and media distribution, can also resemble attacker staging activity, so false positives are common unless baselines are tuned to role and destination.

Encrypted endpoints, remote work, and hybrid identity systems add another edge case. If the same credential can reach SaaS repositories, on-prem file shares, and administrative consoles, the blast radius grows quickly. Ransomware crews increasingly exploit whatever path gives them the fastest leverage, which means teams should review whether backup accounts, service principals, and privileged sessions are truly isolated. The practical question is not only whether data can be restored, but whether the attacker can prove theft convincingly enough to increase pressure.

For broader threat context, the ENISA Threat Landscape remains useful because it frames ransomware as part of a wider intrusion lifecycle rather than a standalone malware event.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM-1 Double extortion depends on hidden exfiltration that monitoring must detect.
MITRE ATT&CK T1020 Attackers often use exfiltration techniques before encryption to increase leverage.

Monitor outbound data movement and alert on anomalous transfer patterns before ransom pressure escalates.