Af Elin Gadegaard Gjørup | 883 words | Read time: 5 minutes
The evolution of ransomware extortion tactics.
What began as a straightforward shakedown has evolved into a high-pressure playbook of data leaks, public threats and operational sabotage. Here’s how the tactics have changed – and why it matters more than ever.
Cybercriminals continue to exploit organisations through malicious ransomware attacks. Initially, attackers focused on encrypting critical files and demanding a ransom for the decryption key. As organizations have improved their data backup strategies, criminals evolved their tactics to continue pressuring targets into paying ransom.
In this blog post, we delve into the evolution of ransomware extortion tactics. We will explore how these tactics have changed over time, from file encryption to sophisticated multi-pronged attacks that include data exfiltration, public shaming, and threats of Distributed Denial of Service (DDoS) attacks.
Early ransomware
The first ransomware attack occurred in 1989, when 20,000 floppy disks were mailed to attendees of a WHO AIDS conference. The disks contained the AIDS Trojan. Once activated, the ransomware encrypted files and displayed a ransom note demanding payment to a PO box in Panama for file access to be restored[1].
Many ransomware variations have emerged since then. However, ransomware operators have consistently relied on encryption as their method of extortion.
Attackers would infiltrate a victim’s system, identify critical files and encrypt them, rendering them inaccessible.
The victim would then receive a ransom demand, usually demanding payment in cryptocurrency, in exchange for the decryption key that would unlock their files[2].
This tactic proved highly effective for several reasons. Many organizations lacked comprehensive backup and recovery strategies, leaving them with few options other than paying the ransom to regain access to their data[4].
Additionally, the rise of cryptocurrencies provided attackers with a relatively anonymous and untraceable payment method[3].
The success of this encryption-based extortion model and the emergence of cryptocurrencies led to a surge in ransomware attacks, with cybercriminals reaping significant financial gains.
As a result, ransomware quickly evolved into a major cybersecurity threat, impacting organizations of all sizes and across various industries[4].
Double extortion tactics
Over the last few years organizations have become more aware of the dangers of ransomware and implemented better backup solutions and practices.
According to Palo Alto’s 2025 Global Incident Report: 47% of ransomware victims in 2024 were able to restore their files compared to only 11% in 2022.
The improvement of data backup practices has diminished the effectiveness of encryption-only extortion tactics as more organizations are able to recover faster and restore their backup without paying the ransome[2].
Despite this, ransomware groups persist and have adopted a “double extortion” tactic. This tactic involves not only encrypting data but also exfiltrating it.
The groups then threaten to publish or sell the stolen data if the ransom is not paid. Ransomware groups often operate dedicated leak sites where they release or sell the stolen data, sometimes auctioning it to the highest bidder.
They also use their leak site to engage in public shaming and harassment of victims and putting out advertisements for the stolen data[2]. Some ransomware groups also opted out of using encryption focusing only on data exfiltration and theft[4].
The threat of public exposure of sensitive data can be particularly damaging for organizations that handle personal or confidential information. The double extortion tactic increases the pressure on victims, as even with backups, they are faced with reputational and financial losses – including loss of customer trust, regulatory fines, and perhaps legal action.
What’s the newest ad-on to extortion tactics?
Although many ransomware groups continue to use double extortion tactics, some groups are now employing a third tactic to further pressure victims into paying. More recently, a new extortion element has appeared: deliberately disrupting the victim’s business operations[4].
Attackers are not just encrypting data or stealing it, but using other methods such as actively sabotaging systems and causing prolonged downtime for businesses, their partners, and customers[2].
Cybersecurity experts have also observed ransomware groups threatening with distributed denial-of-service (DDoS) attacks to disrupt website availability, thereby putting additional pressure on victims.
Other adversaries are expanding their targets by directly contacting and extorting third-party organizations, employees, and even customers associated with the primary victim[5].
This multi-pronged approach significantly amplifies the impact of their malicious activities, creating a wider sphere of disruption and reputational damage.
In conclusion, the continuous evolution of ransomware extortion tactics underscores a critical reality: Cybercriminals are agile adversaries who consistently adapt to overcome security measures.
This escalation beyond mere encryption to encompass data exfiltration and other coercive methods amplifies the stakes for organizations, transforming ransomware from a data recovery challenge into a multifaceted threat with significant financial and reputational ramifications.
The proactive question then becomes paramount for every organization: Do your organization have an incident response plan prepared if attacked by cybercriminals?
Make sure your organisation is prepared to respond under pressure and your incident response plan reflects today’s ransomware reality – not yesterday’s threats. If you need a second opinion or expert input, we’re here to help. Reach out to start the conversation.
Sources
Kostka, C. (2022). The First Ransomware Attack: Lessons Learned from History: https://ransomware.org/blog/the-first-ransomware-attack-lessons-learned-from-history/
Palo Alto Unit 42. (2025). Global Incident Report 2025.
National Cyber Security Center. (2023). Ransomware, extortion and the cyber crime ecosystem. https://www.ncsc.gov.uk/whitepaper/ransomware-extortion-and-the-cyber-crime-ecosystem#section_5
Blackberry. (2025). Global Threat Intelligence Report
PaloAlto. What is Multi-Extortion Ransomware? https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware