The ransomware playbook has changed. Encryption is no longer the main pain point; stolen data is. Criminal groups are monetizing breaches twice: first by locking systems, then by threatening to publish or sell confidential information. That pressure campaign works because the business fallout is harsher than downtime alone. It hits regulatory exposure, litigation risk, and public trust all at once.
The economics support the pivot. Ransomware revenues rebounded sharply, with criminal wallets receiving more than one billion dollars in 2023, reversing a dip in 2022. Mass extortion linked to a single software supply chain event, such as the MOVEit file transfer exploitation, pulled in victims across sectors and countries, often without any encryption at all. More than two thousand organizations and tens of millions of individuals were reportedly impacted. Data theft has become the default tactic rather than a niche add-on.
Why Data Theft Became the Center of Gravity
Ransomware groups are running a business. Data exfiltration improves their unit economics in three ways:
Larger leverage. Sensitive records trigger mandatory disclosure, regulatory scrutiny, and stronger stakeholder pressure. That urgency often shortens negotiation cycles.
Multiple revenue streams. Stolen data can be sold, resold, or used to re-extort former victims months later. Some groups contact the same organization again, threatening to publish data they previously promised to delete.
Lower operational risk for attackers. Exfiltration can be quieter than mass encryption. It blends into routine traffic, especially when routed through cloud services and content delivery networks.
The result is a steady rise in “double extortion” cases. Several incident response firms reported that the share of ransomware incidents involving data theft exceeded three-quarters of cases in 2023. The leak-site ecosystem has matured as well, with dedicated portals, mirrored domains, and social accounts used to maximize public pressure.
The SLTT Exposure: Healthcare and K‑12 Under Strain
State, local, tribal, and territorial entities face unique constraints: essential public services, thin staffing, and complex vendor chains. Attackers understand this calculus and price ransoms accordingly.
Public healthcare. Hospitals and clinics run on urgent workflows and legacy systems. Phishing remains a reliable entry point, and remote access often expands the attack surface. When protected health information is exposed, the fallout compounds: breach notifications, potential HIPAA penalties, and class-action litigation. Healthcare remained one of the most targeted sectors for extortion in 2023 and 2024.
K‑12 school districts. Flat networks and aging infrastructure make lateral movement easy. Districts also hold a wide mix of sensitive data: student records, disciplinary history, financial aid, and payroll. During remote and hybrid learning, exposure increased further due to unmanaged devices and rushed deployments. Education continued to rank among the top sectors hit by ransomware in recent reporting, although there was a decrease in 2025.
A notable development is re-extortion. Some groups return to victims who have already paid and demand a second payment to avoid releasing, or re-releasing, the same dataset. In rare cases, they leak it anyway. The lesson is straightforward: payment does not guarantee resolution. The only durable mitigation is reducing data exposure, improving egress visibility, and cutting the attacker’s ability to return.
How Double Extortion Works in Practice
The typical sequence follows a familiar arc:
Initial access via phishing, stolen credentials, vulnerable edge services, or a third-party compromise.
Privilege escalation and lateral movement with living-off-the-land tools that look like administrative activity.
Quiet staging and exfiltration of file shares, email, collaboration data, and database exports, often through cloud sync or encrypted tunnels that resemble normal traffic.
Optional encryption to maximize pain; not always used in large-scale supply chain extortion.
Public pressure through leak-site “previews,” social channels, and outreach to employees, customers, or media.
The public shaming layer is not an afterthought. It is the product. Groups time announcements to coincide with earnings calls, local board meetings, or major public events to raise leverage.
Exfiltration Tradecraft: What Defenders Must Expect
Expect adversaries to combine several techniques to stay below the radar. Mapping to MITRE ATT&CK helps translate tradecraft into controls that matter.
Automated Exfiltration. Attackers script data duplication and transfer to streamline collection. Counter with strong authentication, encrypted network traffic, and monitoring for unusual automated egress.
Data Transfer Size Limits. Splitting data into fixed-size chunks eliminates the need for thresholds. Use anomaly detection that flags persistent, low-volume exfiltration rather than just spikes.
Exfiltration Over Alternative Protocols. Adversaries pivot away from the obvious ports. Limit allowed outbound protocols, filter untrusted wireless segments, and scrutinize unusual tunneling.
Exfiltration Over C2 Channels. Content hides in normal command-and-control flows. Use decryption at proxies where feasible and inspect for protocol misuse.
Exfiltration Over Other Network Media. Bluetooth and cellular links can bypass controls. Apply endpoint policies that restrict wireless interfaces and removable media.
Exfiltration Over Physical Media. USB remains a last-mile option. Enforce application allow-listing and restrict driver and plugin installation.
Exfiltration Over Web Services. Popular cloud tools can mask theft. Apply egress policies, restrict access to risky destinations, and use CASB or equivalent visibility into sanctioned services.
Scheduled Transfer. Timed jobs blend into routine traffic. Detect patterns that align with off-hours or unusual cron-like behavior from non-admin hosts.
Transfer to Cloud Accounts. Cross-tenant moves are harder to spot with legacy tools. Apply identity-aware egress controls, endpoint and gateway DLP, and tight access control lists for sensitive repositories.
Ransomware Families and Public Leak Tactics
Multiple groups operate leak sites or public channels that advertise fresh victims. Families historically associated with data leaks include Avaddon, Clop, Conti, Darkside, DoppelPaymer, Egregor, Everest, LockBit, Maze, Mespinoza, MountLocker, Nefilim, Netwalker, Pay2Key, RagnarLocker, RansomEXX, REvil, and SunCrypt. Activity by specific brands fluctuates as affiliates rebrand, infrastructure is seized, or new partnerships form.
Recommendations That Actually Move the Needle
There is no single control that defeats double extortion. A realistic program focuses on data, identity, and egress, then layers detection and recovery.
Backups and Recovery
Perform offline, immutable backups and regularly test restores. Measure recovery time and recovery point objectives under tabletop pressure, not just in a lab.
Incident Response and Communications
Maintain a cyber incident response plan and a parallel communications plan that covers counsel, law enforcement contacts, regulators, and third-party processors. Exercise both plans with leadership present.
Data Ownership and Access Control
Map where sensitive records live, who uses them, and why. Classify high-value data, encrypt it at rest and in transit, and enforce least privilege. Treat shared mailboxes and collaboration drives as sensitive repositories.
Network Segmentation and Egress Governance
Segment critical services from general user traffic. Limit outbound protocols to approved destinations. Use DNS-layer controls, application-aware firewalls, and cloud security policies to reduce blind spots.
Defend Common Entry Points
Phishing and social engineering: combine secure email gateways with behavioral training and DMARC. Reinforce with reporting workflows that make escalation easy for users.
Edge exposure: scan externally, patch quickly, and restrict or harden remote desktop access. Shrink the public attack surface with zero-trust network access for administrators.
Vendor risk: assess managed service providers for access pathways, logging maturity, and incident-history transparency. Contract for basic security obligations.
Detection and Telemetry
Keep endpoint protection up to date and pair it with endpoint detection and response to improve visibility into lateral movement and credential theft.
Deploy network intrusion detection or prevention at boundaries. For SLTTs, consider community-supported options such as Albert IDS, where available.
Baseline normal traffic over time and alert on anomalous egress volumes, destinations, and schedules. Use data loss prevention selectively where it creates a real signal.
KPIs That Matter to Executives
Do not drown in vanity metrics. Focus on indicators that predict or prevent data loss.
Mean time to detect and contain suspicious egress, measured in hours.
Percentage of high-value data stores with least-privilege enforcement and strong encryption.
Successful restore tests for critical systems, measured quarterly, with documented recovery times.
Percentage of endpoints and servers covered by EDR with logging retained for at least 90 days.
Third-party access inventory accuracy and the number of privileged paths are reduced over time.
Regulatory and Legal Considerations
Data theft triggers obligations that encryption alone might not. Education and healthcare face distinct requirements for breach notification and record retention. Insurance carriers increasingly ask for evidence of segmentation, incident response testing, and privileged access management before underwriting. Several carriers have narrowed coverage or raised premiums for entities that cannot demonstrate controls.
What To Watch Next
Attackers are professionalizing victim outreach, sometimes contacting employees, patients, or parents directly to apply pressure. More groups are skipping encryption entirely and moving to pure data extortion. Expect broader use of cloud collaboration channels for staging and exfiltration, misuse of legitimate code-signing to bypass controls, and faster rebranding cycles to obfuscate attribution. LockBit’s takedown activity illustrates another trend: brand disruption does not eliminate the affiliate economy; it fragments it.
Conclusion
Extortion thrives where data sprawl, weak identity, and ungoverned egress intersect. The response must be practical and measurable. Start with data ownership, close the outbound doors, and drill recovery until it is boring. The goal is not tool coverage; it is reducing the blast radius when a credential is phished or a vendor is compromised.
The strategy works because it reshapes incentives. When attackers cannot quietly stage and exfiltrate sensitive information, public shaming loses power. When backups restore reliably, encryption loses power. The organization still faces risk, but it becomes a containable incident rather than a public crisis.
Ransomware will keep evolving. Defenders must expect faster intrusions, noisier leak sites, and more pressure on public institutions. Progress is possible, but it requires uncomfortable choices: fewer standing privileges, stricter data access, and disciplined egress controls. The organizations that make those moves will still get targeted. They will also have far less to lose.
