What Is Extortionware? Going Beyond Ransomware

Extortionware involves stealing sensitive data from an organization and threatening to leak it. It’s become a core tactic in the modern ransomware playbook, and if your business holds valuable or confidential information, it’s a threat you can’t afford to ignore.

Today, we’re taking a closer look at what extortionware is, how it works, and why it’s become one of the most difficult cyber threats to defend against.

What is extortionware?

Extortionware is a type of cyberattack where attackers steal sensitive data, then threaten to publicly release it unless ransom demands are met. This data could include intellectual property, customer information, medical records — the kind of information companies (and their customers) don’t want leaked.

Extortionware vs. ransomware vs. double extortion

They’re different from ransomware attacks, where files are encrypted and a ransom is demanded for decryption. However, attackers are increasingly combining the two tactics to gain more leverage — encrypting data and threatening to leak it — in a process called double extortion.

(Related reading: today’s ransomware and extortionware trends.)

How extortionware works

Extortionware attacks typically follow a familiar blueprint. While the specifics can vary depending on the target and the attacker’s goals, most incidents play out in four main stages.

1. Initial compromise. Attackers gain access to the system, typically via phishing emails, stolen login credentials, or by exploiting software vulnerabilities.
2. Reconnaissance. Once inside, attackers move laterally through the network, scanning for the highest-value targets such as financial records, IP and proprietary code, legal documents, trade secrets, and internal communication logs.
3. Exfiltration. Rather than encrypting files, which can be noisy and trigger defensive alerts, attackers quietly extract the sensitive information.
4. Extortion. Attackers send a ransom demand, often via email, along with proof of the data theft. The victim is given a choice: pay the ransom or risk having the stolen data publicly leaked.

Ransom demands are typically made in cryptocurrency, allowing attackers to stay anonymous and harder to trace, and the ransom demand can stretch into the millions.

Impact of extortionware attacks

Extortionware attacks are stealthier than traditional ransomware, which makes them a huge threat. Instead of disrupting operations, they weaponize the threat of public data leaks — a risk many organizations find far harder to recover from.

With ransomware, there’s at least some opportunity to salvage the situation. An organization might be able to:

• Restore from backups.
• Rebuild systems.
• Bring in specialists to decrypt the data and limit the impact.

With extortionware, that second chance doesn’t exist. Once sensitive data is exfiltrated, there’s no way to get it back. No defense system can recover what’s already been stolen. The attacker’s leverage can’t be undone, and paying the ransom doesn’t always resolve the problem either. Attackers still possess the data, which means they can leak it anyway or return with additional demands.

The consequences of a leak can be serious, especially if the stolen data includes personally identifiable or regulated information. If this information gets out, it can trigger significant legal and financial penalties under frameworks like GDPR and HIPAA.

And that’s before you even factor in long-term reputational harm. In many cases, it’s not just about paying to get your data back, it’s about trying to avoid permanent damage.

Once a breach takes place, the organization is at the mercy of the attacker — and that’s what makes extortionware attacks so dangerous.

Examples of extortionware

Extortionware can potentially impact anyone. The following three high-profile cases show how everyday individuals, celebrities, and even global corporations can become victims.

April 2020: Double extortion on the map

In April 2020, Fortune 500 IT services giant Cognizant was hit by a cyberattack carried out by the Maze ransomware group. It was one of the first widely publicized examples of double extortion. Maze exfiltrated sensitive employee and client information, including names, Social Security numbers, passport data, and financial account details.

Although Cognizant never confirmed whether it paid the ransom, the attack caused significant disruption and was estimated to cost between $50 million and $70 million in recovery and lost business.

2020: REvil targets celebrities

In another high-profile 2020 attack, the REvil ransomware group breached Grubman Shire Meiselas & Sacks (GSMS), a prestigious New York law firm representing many household names, stealing 756GB of sensitive legal and personal data. To pressure the firm, REvil leaked documents related to Lady Gaga.

REvil demanded a $21 million ransom, later doubling to $42 million, which GSMS refused to pay following advice from the FBI. In response, REvil attempted to auction off the stolen data one celebrity at a time.

2018-2020: Patient health records leaked

Between 2018 and 2020, Vastaamo, a private psychotherapy provider in Finland, suffered a devastating data breach. An attacker known as ransom_man accessed sensitive data from over 22,000 patients, including therapy session notes, contact information, and national ID numbers. When the company refused to pay the initial cryptocurrency ransom, the attacker shifted tactics — emailing patients directly and demanding €200, rising to €500 after 24 hours.

The psychological impact was severe, prompting widespread public outcry and leading the Finnish government to provide mental health support for affected individuals. In 2024, the attacker was sentenced to over six years in prison.

Trends in extortionware

According to Statista, only half of ransomware victims paid the ransom in 2018. By 2023, increasingly fuelled by extortion tactics, that figure had climbed to over 70%. This shift shows that attackers are waking up to the power of psychological pressure — after all, when your organization’s reputation is on the line, ransom demands are difficult to ignore.

In the past, it was a numbers game: send out generic spam in high volumes and hope for the best. Today’s approach is far more calculated, focusing on identifying prime targets with access to valuable systems or sensitive data. Using sophisticated tools, many powered by AI, attackers conduct detailed reconnaissance to find the weak spots. Then they craft highly personalized phishing emails, often impersonating internal teams or familiar vendors, to gain initial access.

At the same time, Ransomware-as-a-Service (RaaS) platforms have lowered the barrier to entry and raised the bar for wannabe cybercriminals. These services offer prebuilt malware, technical support, and even customer service — enabling non-technical attackers to launch relatively advanced campaigns.

Combined with strategic targeting, this increasingly professional approach makes extortionware attacks more effective, more personal, and significantly harder to defend against.

Always be prepared

Extortionware is a growing threat that preys on fear and the reputational damage that comes from letting customers and employees down by losing sensitive information. If you hold valuable data, you’re a potential target — no matter your size or industry.

With a stronger understanding of how extortionware works, you can start strengthening your defenses and improving your readiness for an attack. Because remember: once your data is out there, there’s no getting it back.