From Locker to Double Extortion: A Modern Ransomware Review

Published on 15 December 2025 at 13:43

For nearly a decade, the advice regarding ransomware was simple, consistent, and mostly effective: keep robust, offline backups. If a cybercriminal encrypted your files, you could simply wipe the infected systems, restore from your backups, and carry on with business as usual. It was a nuisance, certainly, but not necessarily a catastrophe.

That golden rule of relying solely on backups is now dangerously outdated. The threat landscape has shifted dramatically, evolving from simple automated scripts to sophisticated, human-operated campaigns that threaten the very existence of an organization.

To understand the severity of the current threat, we must look at how we got here. This modern ransomware review explores the evolution from basic "locker" malware to the high-stakes game of double extortion, and what this means for your organization’s defense strategy.

The Early Days: The "Spray and Pray" Era

In the early 2010s, ransomware was a volume game. Cybercriminals operated on a "spray and pray" model, sending out millions of phishing emails containing malicious links or attachments. The most notorious example, CryptoLocker, emerged in 2013.

These early variants were relatively unsophisticated. They would infect a single machine, encrypt documents and images, and demand a modest payment (often a few hundred dollars in Bitcoin) for the decryption key. They were opportunistic, targeting individuals and small businesses indiscriminately.

The primary leverage was availability. The attackers denied you access to your own data. If you didn't have a backup, you paid. If you did have a backup, you ignored the ransom note, reimaged the machine, and recovered your files. For a long time, this was the status quo highlighted in many ransomware review analyses. Defending against it was a matter of basic hygiene: antivirus software and regular backups.

The Pivot to Big Game Hunting

Around 2016 and 2017, cybercriminal groups realized that targeting individual users was inefficient. Why extort a grandmother for $300 when you could extort a multinational corporation for $3 million? This realization birthed "Big Game Hunting."

Attackers stopped casting wide nets and started spear-phishing specific employees at high-revenue organizations. Once inside a network, they wouldn't deploy the ransomware immediately. Instead, they would dwell within the system for weeks or months—moving laterally, escalating privileges, and compromising domain controllers.

The goal was to encrypt not just one laptop, but the entire network, including servers and, critically, online backups. By crippling the entire infrastructure, they forced organizations to pay massive sums just to become operational again.

The Game Changer: Double Extortion

Despite the rise of Big Game Hunting, organizations got better at defending themselves. They invested in better disaster recovery solutions and offline (immutable) backups that hackers couldn't reach. The criminals needed a new lever to force payment.

In late 2019, the Maze ransomware group introduced a tactic that fundamentally changed the industry: double extortion.

In a double extortion attack, the threat actors do not just encrypt data; they exfiltrate it first. Before triggering the encryption routine that locks the system, they quietly upload terabytes of sensitive company data—financial records, customer PII (Personally Identifiable Information), intellectual property, and internal emails—to their own servers.

When the ransom note arrives, it contains two threats:

  1. Pay us to get your files back (Decryption).
  2. Pay us or we will publish your sensitive data online (Data Leak).

This rendered the "just restore from backup" strategy obsolete. Even if an organization could restore their systems perfectly in 24 hours, the threat of a data breach remained. The reputational damage, regulatory fines (like GDPR or CCPA), and potential lawsuits from a data leak often outweighed the cost of the ransom.

Ransomware-as-a-Service (RaaS)

Parallel to the technical evolution of double extortion was the business evolution of Ransomware-as-a-Service (RaaS). This model mirrors the legitimate SaaS (Software-as-a-Service) industry.

In the RaaS ecosystem, there are two main players:

  • Operators (Developers): They write the malicious code, maintain the payment portals, and host the data leak sites.
  • Affiliates: They are the ones who actually hack into the victim's network.

Affiliates rent the ransomware from the operators. When a victim pays, the money is split, with the affiliate usually keeping 70-80% and the operator taking the rest. This lowered the barrier to entry significantly. A hacker no longer needs to know how to write complex encryption software; they just need to know how to buy stolen credentials or phish an employee.

Triple Extortion and Harassment

As if double extortion wasn't enough, the tactics continue to escalate. We are now seeing "triple extortion" campaigns. This involves the standard encryption and data theft, plus a third layer of pressure: Distributed Denial of Service (DDoS) attacks.

If the victim refuses to negotiate, the attackers launch a DDoS attack against the company's public-facing website, taking them offline and adding further chaos to the crisis response.

Furthermore, some gangs have resorted to harassing stakeholders directly. There have been documented cases where attackers emailed a company's customers to tell them their data was stolen, or even called employees on their personal cell phones to pressure the IT department into paying.

Conducting a Cyber Security Review

Given this aggressive landscape, relying on old defense mechanisms is a recipe for disaster. It is imperative to conduct a comprehensive cyber security review to ensure your defenses match the modern threat.

A modern review should look beyond basic antivirus and firewalls. It requires a holistic approach to network architecture and data governance.

1. Implement Zero Trust Architecture

Stop trusting traffic just because it is inside your perimeter. Double extortion relies on lateral movement—hackers jumping from one server to another. Network segmentation and strict access controls limit how far an attacker can move if they breach a single workstation.

2. Prioritize Data Exfiltration Monitoring

Many security tools focus on stopping things from getting in. You need tools that notice when large amounts of data are going out. Data Loss Prevention (DLP) solutions and network traffic analysis can alert you if a server suddenly starts uploading gigabytes of data to an unknown IP address.

3. Patch Management is Non-Negotiable

Vulnerabilities in VPNs and remote desktop protocols (RDP) remain the most common entry points for ransomware gangs. A routine cyber security review must audit your patch management process. Are you patching critical vulnerabilities within 24-48 hours? If not, the window of opportunity for attackers is too wide.

4. Immutable Backups

While backups don't stop the data leak threat, they are still essential for business continuity. Ensure you have immutable backups—data copies that cannot be altered or deleted, even by an administrator. This ensures that even if hackers get full dominance over your network, they cannot wipe your recovery points.

5. Multi-Factor Authentication (MFA)

MFA should be everywhere. Not just on email, but on VPNs, RDP access, and internal admin portals. Ransomware affiliates often buy stolen passwords on the dark web. MFA renders those stolen passwords useless.

Protecting Your Organization in the New Era

The era of the simple locker virus is long gone. We are currently in a high-stakes environment where cybercriminals run organized, professional enterprises dedicated to squeezing every possible dollar out of their victims. The shift to double extortion means that a ransomware attack is no longer just an IT operational issue; it is a full-scale data breach and a public relations crisis.

Organizations must adapt by shifting their mindset. Prevention is ideal, but detection is mandatory. You must be able to detect the intruder during the "dwell time"—those days or weeks they spend in your network stealing data before they trigger the encryption.

By conducting a regular, honest cyber security review and acknowledging the reality of modern ransomware, you can build a defense strategy that is resilient enough to withstand the threats of today, and flexible enough to adapt to whatever the attackers invent tomorrow.

Add comment

Comments

There are no comments yet.