THIS shift is also reflected in recent incidents such as the attack on Odido, where customer data was stolen and misused. This aligns with broader trends in which data itself has become the most important leverage.

What is double extortion ransomware exactly?

Double extortion ransomware combines two attack techniques: encrypting systems and stealing data. Victims are then pressured to pay double: for recovery and to prevent the publication of data.

This approach has now become the standard. In the Verizon Data Breach Investigations Report 2025, ransomware is explicitly linked to broader forms of digital extortion, where data theft also plays a central role.

Why backups are no longer enough

Backups were for years the primary defense strategy. But in a double extortion scenario, they only solve part of the problem.

According to analyses from the Verizon DBIR 2025, ransomware is present in a large portion of data breaches, and data exfiltration plays an increasingly significant role.

Moreover, the report shows that ransomware and extortion attacks now constitute the majority of serious incidents.

This concretely means:

• Data is already stolen before recovery
• Organizations face reporting obligations (GDPR)
• Reputational damage persists
• Publication via leak sites remains a risk

How ransomware attacks have evolved

The rise of double extortion is linked to the professionalization of cybercrime.

More focus on data theft

According to analyses from Palo Alto Unit 42, attackers are increasingly explicitly targeting the theft and misuse of data as leverage.

Ransomware as an industry

Yes, the as-a-Service model also works in cybercrime. Ransomware has evolved into a scalable model, where groups operate as service providers with tooling and infrastructure.

More and faster attacks

The DBIR shows that ransomware is now present in almost half of data breaches, underscoring the scale and frequency.

Impact on IT infrastructure and security strategy

Due to this evolution, the role of IT security is fundamentally changing.

From prevention to detection and response

Organizations must assume that attackers will get in and focus on rapid detection and damage limitation.

Data at the center of security

The focus is shifting from systems to data:

• Where is sensitive data located?
• Who has access?
• What happens to that data?

Identity as a weak point

Stolen credentials remain one of the main access points, as also shown by DBIR data.

What should organizations do concretely?

The approach to double extortion ransomware requires more than just technical measures. It revolves around a coherent strategy in which data, detection, and response are central.

Protect data as the primary target

In modern ransomware attacks, data is the most important target. Therefore, organizations must first gain insight into where sensitive information is located and how it is used. Data classification helps to set priorities: not all data is equally critical, but customer data, financial information, and intellectual property require maximum protection.

Encryption plays an important role in this, both in storage and during transport. Equally important is monitoring data flows. By detecting anomalous behavior – such as large amounts of data leaving the network – early, organizations can intervene before exfiltration has fully occurred.

Invest in detection and visibility

Prevention alone is no longer sufficient. Organizations must assume that attackers will eventually get in. The question is not if, but when.

Therefore, it is essential to invest in solutions that quickly detect suspicious activities. Think of EDR and XDR platforms that continuously monitor endpoints and networks, and SIEM solutions that centrally analyze logs and events. The faster anomalies are recognized, the smaller the chance that an attack can expand or data can be stolen.

Make backups resilient against attackers

Backups remain a crucial part of the defense, but must be better protected than before. Attackers are increasingly targeting backup systems to make recovery impossible.

Immutable backups – which cannot be altered or deleted – provide a solution here. By storing backups offline or separated from the primary network (air-gapped), the chance that they are compromised during an attack is reduced. This keeps recovery possible, even in the worst-case scenario.

Organize incident response professionally

A quick and structured response largely determines the impact of an attack. Yet many organizations still lack a well-developed incident response plan.

Such a plan must clearly outline:

• who is responsible
• what steps are taken
• how communication occurs internally and externally

Regular exercises are essential. Only by testing scenarios can it be made clear where weaknesses lie and how teams function under pressure.

Limit lateral movement within the network

Many ransomware attacks escalate because attackers can move freely through the network. By implementing network segmentation and applying Zero Trust principles, that freedom of movement can be significantly restricted.

In practice, this means:

• granting access only based on necessity (least privilege)
• strict separation between systems and environments
• extra verification for sensitive actions

This often keeps an attack limited to a small part of the infrastructure, rather than taking down the entire network.

Ransomware is a data problem

Double extortion ransomware shows that cyber attacks are no longer just about systems, but about data as a strategic target.

The attack on Odido is a concrete example of this: even without complete system failure, the impact can be enormous when data is stolen.

The conclusion is clear: backups are necessary, but absolutely no longer sufficient.