Ransomware has haunted the digital landscape for more than a decade, but its evolution in recent years has been nothing short of dramatic. What began as a blunt instrument—encrypting files and demanding payment for their release—has transformed into a sophisticated, multi-pronged threat. In 2025, the rise of double extortion has redefined the ransomware playbook, combining data encryption with the threat of public exposure to maximise leverage over victims.

This article examines the anatomy of modern double extortion attacks, the impact on New Zealand businesses and beyond, and the strategies required to defend against a threat that is as much about reputation as it is about data.

The Mechanics of Double Extortion

The Classic Ransomware Model

Traditional ransomware attacks followed a predictable pattern: malware would infiltrate a network, encrypt critical files, and display a ransom note demanding payment—usually in cryptocurrency—in exchange for the decryption key. For years, this model proved lucrative, but as backup strategies improved and law enforcement stepped up, attackers adapted.

Enter Double Extortion

Double extortion adds a new twist. Before encrypting files, attackers exfiltrate sensitive data—customer records, intellectual property, financial documents. The ransom demand now comes with a threat: pay up, or your data will be leaked, sold, or used to embarrass your organisation. This approach increases the pressure on victims, even those with robust backup and recovery plans.

The Triple Threat

Some groups have gone further, adding a third layer: direct contact with customers, partners, or regulators to escalate the pressure. The message is clear—no one is immune, and the stakes are higher than ever.

Anatomy of a Double Extortion Attack

Step 1: Initial Access

Attackers gain entry through phishing, vulnerable remote access services, or compromised supply chain partners. Once inside, they move laterally, escalating privileges and mapping the network.

Step 2: Data Exfiltration

Before launching ransomware, attackers identify and extract valuable data. This may include personal information, business secrets, or regulatory-sensitive records. Data is staged and transferred to attacker-controlled servers, often in small, encrypted chunks to avoid detection.

Step 3: Encryption and Ransom Demand

With data in hand, attackers deploy ransomware across the network, encrypting files and systems. Victims receive a ransom note detailing the amount demanded, payment instructions, and a sample of the stolen data as proof.

Step 4: Negotiation and Threat Escalation

If the victim hesitates, attackers may publish a portion of the data on leak sites or contact stakeholders directly. Negotiations can be aggressive, with deadlines and escalating threats designed to force payment.

Case Study: A Local Government Under Siege

In early 2025, a New Zealand city council became the target of a double extortion attack. Attackers entered the network via a compromised remote desktop service, exfiltrated sensitive ratepayer information, and deployed ransomware that crippled council operations. When initial ransom demands were ignored, the attackers published a sample of personal data online and threatened to contact local media.

The council faced a dilemma: pay the ransom and risk funding further crime, or refuse and face public outrage, regulatory scrutiny, and potential lawsuits. Ultimately, the incident led to weeks of disruption, a full forensic investigation, and a costly overhaul of security processes.

The Business and Human Impact

Beyond IT: Reputational and Regulatory Fallout

The consequences of double extortion extend far beyond encrypted files. Data leaks can trigger privacy breach notifications, regulatory fines, and loss of customer trust. For sectors such as healthcare, education, and government, the impact can be particularly severe—affecting vulnerable populations and critical services.

The Psychological Toll

Double extortion attacks are designed to create maximum stress and uncertainty. Staff may face threats, customers may receive direct communications from attackers, and leadership teams are forced to make decisions under intense pressure and scrutiny.

Defending Against Double Extortion

Prevention: The First Line of Defence

Patch and Harden: Regularly update and harden all internet-facing systems, especially remote access and VPN services.
Network Segmentation: Limit lateral movement by segmenting networks and restricting privileged access.
User Awareness: Train staff to recognise phishing and social engineering tactics, the most common entry points for attackers.
Supply Chain Security: Assess and monitor the security posture of third-party vendors and partners.

Detection and Response

Monitor for Exfiltration: Deploy tools to detect unusual data transfers or large outbound traffic.
Incident Response Planning: Develop and rehearse response plans that account for both ransomware and data breach scenarios.
Forensic Readiness: Ensure logs are centralised, protected, and retained to support investigations.

Recovery and Resilience

Immutable Backups: Maintain offline, tamper-proof backups and test recovery procedures regularly.
Legal and PR Preparedness: Prepare statements and notification templates for regulators, customers, and the public.
Post-Incident Review: Conduct thorough reviews after any incident to identify gaps and improve defences.

To Pay or Not to Pay?

The question of whether to pay a ransom remains contentious. Law enforcement agencies generally advise against it, as payment does not guarantee data recovery or prevent future attacks. However, the reality for many organisations is complex, balancing business continuity, legal obligations, and the risk to stakeholders. Each incident demands a considered, case-by-case response.

The Road Ahead: Building Organisational Resilience

Double extortion is a symptom of a broader trend: cybercriminals are becoming more strategic, more businesslike, and more ruthless. The most effective defence is a holistic approach—combining technical controls, user education, robust incident response, and executive engagement.

Organisations must treat ransomware not just as an IT problem, but as a board-level risk. Resilience is built through preparation, investment, and a culture that prioritises security at every level.

Next in the Series: The upcoming article will investigate the vulnerabilities of operational technology (OT) networks, exploring how attackers are targeting critical infrastructure and what can be done to protect the systems that keep our society running.

This article is part of the ongoing “Cyber Chronicles” series, providing in-depth analysis of the vulnerabilities shaping the security landscape in 2025.