Skip to main content
← All research

Concept · · 7 min read

How double-extortion ransomware actually works

The mechanics behind the leak-then-encrypt playbook that now drives 90% of public ransomware disclosures — and why paying the ransom no longer guarantees the data is gone.

For most of ransomware's history, the deal was simple: an operator encrypted your files, you paid the ransom, you got the decryption key. Backups defeated the racket. By 2020, enterprises had backed up enough that paying was no longer the cheapest way out — they restored from snapshots and ate the downtime.

Operators adapted. The model that emerged — and now dominates the leaks indexed on our groups page — is double extortion: the data is encrypted and exfiltrated before the encryption runs. Pay, or we publish your files on a Tor leak site, send them to your competitors, hand them to your regulators.

~90%

of ransomware operators tracked on Darkfield run a public leak site as part of their extortion stack

Source: /groups · 470 operators indexed

The four phases of a double-extortion intrusion

Every disclosure we add to the corpus is the trailing edge of a process that follows the same shape. The phase labels here are a simplification of the Lockheed kill chain; the MITRE technique IDs link to ATT&CK so you can drill into the sub-techniques operators actually use.

  1. 1

    Initial access (via broker, phish, or exposed service)

    T1078

    Most operators don't run this phase themselves. Initial Access Brokers (IABs) auction footholds on Russian-language forums for $200–$5,000 depending on the org's revenue band and access depth.

  2. 2

    Discovery and credential access

    T1087

    BloodHound mapping of Active Directory, ADFind for OU enumeration, LaZagne for stored credentials. Days to weeks.

  3. 3

    Lateral movement to high-value hosts

    T1021

    Cobalt Strike beacons, PsExec, RDP via stolen creds. Focus is on file servers, backup infrastructure, and finance / legal mailboxes.

  4. 4

    Staging and exfiltration

    T1567

    Data compressed with 7-Zip or WinRAR (often password-protected) then exfil over Mega, rclone-to-S3, or directly to an attacker-controlled VPS. Volumes 50 GB – 20 TB.

  5. 5

    Encryption (and the leak post)

    T1486

    Encryption is almost an afterthought now. The lever is the leak post — a Tor page claiming the victim, with a countdown, sample files, and a contact channel.

Generalised double-extortion intrusion · MITRE techniques link to ATT&CK

What a real leak post looks like in code

The HTML of a typical qilin / akira / play leak page is intentionally minimal — these operators are operating on the assumption that browsers visiting their Tor site may be running aggressive content blockers. The structure repeats: victim name, country, sector, sample-file list, countdown, operator contact.

<article class="leak">
  <h1>Fab-Masters Inc.</h1>
  <ul class="meta">
    <li>industry: Custom Metal Fabrication</li>
    <li>country: US</li>
    <li>revenue: $5–10M</li>
    <li>listed: 2026-05-14</li>
  </ul>
  <section class="proof">
    <a href="/samples/internal-financials.pdf">internal-financials.pdf · 4.2 MB</a>
    <a href="/samples/employees.csv">employees.csv · 312 KB</a>
  </section>
  <p class="contact">Contact: qilin_support@... · Tox: 7C35408411AEEBD5...</p>
  <p class="timer">Publication in: 96h : 12m</p>
</article>
Stripped sample of a Qilin leak post (formatting normalised)

Why paying no longer ends it

The encryption-only model had a clean exit: pay, decrypt, recover. Double extortion broke that. Even if you pay and receive a working decryptor, the data still exists on the operator's storage. The promise to delete it is exactly that — a promise from an actor who runs an extortion business.

~50%

of paid victims later re-listed under a successor brand (industry IR data)

0%

of operators publicly audited deletion claims

72h

median time from leak post to mass-republication on aggregator sites

Encryption-only vs double extortion, side by side

Encryption-only (pre-2020)Double extortion (current)
Backups defeat it?Yes — restore + eat downtimeNo — backups buy availability, not confidentiality
Detection window that mattersBefore encryption runs (hours)Before exfiltration completes (days to weeks earlier)
Regulatory clock starts whenOutage declared (sometimes never reported)Disclosure on leak site (mandatory in most jurisdictions)
Paying buys youDecryption key, full recoveryDecryptor + an unverifiable promise to delete
OFAC exposureLimited (no public ledger of the transaction)High — operator wallets often pre-listed
What changes when leverage moves from availability to confidentiality

What this means for defenders

The detection window that matters is no longer “before encryption”. It's “before exfiltration” — typically days earlier. The signal lives in egress traffic analytics, unusual file-share reads by service accounts, and the appearance of recon tooling.

# unusual outbound transfer volume from a server-class host
nft list ruleset | awk '/oif "eth0" ip daddr/ { vol[$NF]+=$0 } END { for (h in vol) if (vol[h] > 5e9) print h, vol[h] }'

# rclone / megacmd / 7z spawned by an unexpected parent process
ps -eo pid,ppid,comm,args | grep -E 'rclone|mega-cmd|7z' | grep -v 'svc-backup'

# AD enumeration patterns (BloodHound / ADFind signature)
journalctl _COMM=adfind -S "1 hour ago" --no-pager
journalctl _COMM=SharpHound -S "1 hour ago" --no-pager
High-signal indicators worth alerting on (sample, not exhaustive)

How to use Darkfield to watch the ecosystem

If you want to know whether your organisation or a supplier is currently named on any leak site we monitor, run the name through /tools — it cross-references the full 38k-victim corpus, the public breach catalog, OFAC-listed wallets, and every public Telegram channel and .onion site we crawl. Every match opens a permanent public URL you can hand to your IR team.

For continuous monitoring, group-level pages (see Groups) update as new claims appear; the daily Pulse page is the fastest narrative read on what shifted in the last 24 hours.

By Orizon Research. Compiled with AI assistance, reviewed before publication. Findings are evidence pointers, not legal verdicts. Corrections  .