LOGBOOK

HELP

Quiz Entry - updated: 2026.05.28

Why does a modern ransomware crew exfiltrate data before encrypting it?

Because the stolen copy is the second extortion lever — it still works even if the victim restores from backup.

The sequence is deliberate: exfiltrate first, encrypt second. Exfiltration (copying data out to an exfil server) sets up double extortion — the threat to leak the data. If they encrypted first and the victim simply restored backups, the attacker would have no leverage left. By stealing the data beforehand, they keep a hold over the victim regardless of backups.

Detection angle: large outbound data transfers to unfamiliar destinations are a red flag — egress monitoring / DLP can catch the exfiltration stage, which happens before any visible damage.

Tip: Order of operations tells you the attacker's business model: theft-then-encryption = they plan to extort you twice (pay to decrypt and pay to prevent the leak).

From Quiz: ISF / Foundations, Key Terms & Ransomware | Updated: May 28, 2026