What is a "double extortion" ransomware attack?
Attackers both encrypt your data AND steal a copy — then threaten to leak it if you don't pay, even if you can restore from backup.
Classic ransomware only encrypts (attacks availability). Double extortion adds a second lever:
- Exfiltrate a copy of the data before encrypting (attacks confidentiality)
- Encrypt the victim's files (attacks availability)
- Demand payment for the decryption key and to not publish the stolen data
Why it defeats "just restore from backup": even with perfect backups, you can recover availability — but the leak threat remains. The stolen copy is already gone. This is why backups, while essential, are no longer a complete answer.
Real families: Conti, LockBit, and others pioneered the leak-site model — a Conti ransom note, for example, both demands payment for decryption and threatens to publish the downloaded files.
Tip: Double extortion is precisely why encryption at rest + data minimisation still matter even if your backups are flawless — they limit the damage of the exfiltration half.