Threatonomics

How ransomware groups are changing the game with double extortion

by Emma McGowan , Senior Writer
Published

Attackers are now demanding a ransom for de-encryption and a ransom to not release sensitive data

Double extortion has become the industry standard. According to our recent analysis of Resilience cyber insurance claims, ransomware attacks now routinely involve two distinct ransom demands: one for the decryption key to unlock encrypted systems, and another to prevent stolen data from being published on leak sites or sold to competitors.

This shift represents more than just criminal innovation—it’s a calculated response to improved organizational defenses. As more companies invested in robust backup systems and business continuity planning, threat actors found themselves with encrypted files that victims could simply restore. Their solution? Steal the data first, then encrypt it.

The financial impact has been staggering. According to Resilience data, in the first half of 2025, ransomware accounted for 76% of incurred cyber insurance losses, with the average ransomware claim reaching $1.18 million. When you factor in business interruption from vendors experiencing ransomware, that number jumps to 91% of all incurred losses.

Why paying for data suppression is a losing strategy

Here’s the uncomfortable truth that every executive needs to hear: paying ransomers to “suppress” your stolen data offers zero guarantee of data destruction and provides no mitigation when it comes to regulatory investigations, customer notifications, or subsequent lawsuits.

Consider what happens when you pay for data suppression. You’ve just taught criminals that your organization is willing to pay, making you a prime target for repeat attacks. You’ve depleted insurance limits that could have funded actual recovery efforts. And, most critically, you have no way to verify that the data was actually deleted: Cybercriminals aren’t exactly known for their integrity.

The real cost of double extortion

The shift to double extortion has created a perfect storm of pressure on victim organizations. Business leaders face immediate operational disruption while simultaneously worrying about reputational damage, regulatory penalties, and competitive disadvantage from leaked intellectual property.

In multiple recent cases, threat actors have even located copies of victims’ cyber insurance policies and used that information to calibrate their ransom demands. In one instance documented in the Resilience portfolio, the attacker directly referenced the client’s policy, saying they had placed their extortion demand strategically below the policy limit—essentially treating the insurance coverage as a pricing guide.

Building resilience instead of paying criminals

Organizations that successfully navigate double extortion attacks without paying share several key characteristics:

  • They encrypt sensitive data by default. If stolen data is already encrypted, its value to attackers plummets dramatically. This isn’t just about compliance—it’s about making releasing your data worthless to criminals.
  • They have clear breach protocols with pre-approved disclosure frameworks. When a breach occurs, these organizations don’t waste time debating whether to notify regulators or customers. They’ve already mapped out their legal obligations and communication strategies.
  • They implement intelligence-led defenses. Rather than depending on ransom demands to understand what was stolen, mature organizations can independently track their data through dark web monitoring and threat intelligence platforms.
  • They educate leadership on the true cost of suppression payments. Executives must recognize that paying for data suppression offers only the illusion of protection while potentially increasing long-term exposure and perpetuating cybercrime.

The insurance industry’s evolving role

Cyber insurers are beginning to evolve beyond simply covering ransom payments. Forward-thinking carriers are actively incentivizing security hardening, promoting intelligence sharing between clients, and providing robust post-breach support services that strengthen overall organizational resilience.

Some insurers have started implementing stricter requirements around backup validation and incident response planning before binding coverage. Others are offering premium discounts for organizations that demonstrate mature security practices. The message is clear: the industry is moving away from simply paying ransoms and toward preventing attacks in the first place.

What this means for your organization

The era of simple ransomware is over. Today’s attacks are multi-stage operations designed to extract maximum value from victims through psychological pressure, operational disruption, and the threat of permanent reputational damage.

The question is no longer whether you’ll face a double extortion attack—it’s whether you’ll be prepared to respond without funding criminal enterprises. Organizations that invest in comprehensive resilience—encrypted data, validated backups, tested incident response plans, and educated leadership—will find themselves in a far stronger position when attackers come calling.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]