For most of ransomware's history, the deal was simple: an operator encrypted your files, you paid the ransom, you got the decryption key. Backups defeated the racket. By 2020, enterprises had backed up enough that paying was no longer the cheapest way out — they restored from snapshots and ate the downtime.
Operators adapted. The model that emerged — and now dominates the leaks indexed on our groups page — is double extortion: the data is encrypted and exfiltrated before the encryption runs. Pay, or we publish your files on a Tor leak site, send them to your competitors, hand them to your regulators.
~90%
of ransomware operators tracked on Darkfield run a public leak site as part of their extortion stack
Source: /groups · 470 operators indexed
The four phases of a double-extortion intrusion
Every disclosure we add to the corpus is the trailing edge of a process that follows the same shape. The phase labels here are a simplification of the Lockheed kill chain; the MITRE technique IDs link to ATT&CK so you can drill into the sub-techniques operators actually use.
- 1
Initial access (via broker, phish, or exposed service)
T1078Most operators don't run this phase themselves. Initial Access Brokers (IABs) auction footholds on Russian-language forums for $200–$5,000 depending on the org's revenue band and access depth.
- 2
Discovery and credential access
T1087BloodHound mapping of Active Directory, ADFind for OU enumeration, LaZagne for stored credentials. Days to weeks.
- 3
Lateral movement to high-value hosts
T1021Cobalt Strike beacons, PsExec, RDP via stolen creds. Focus is on file servers, backup infrastructure, and finance / legal mailboxes.
- 4
Staging and exfiltration
T1567Data compressed with 7-Zip or WinRAR (often password-protected) then exfil over Mega, rclone-to-S3, or directly to an attacker-controlled VPS. Volumes 50 GB – 20 TB.
- 5
Encryption (and the leak post)
T1486Encryption is almost an afterthought now. The lever is the leak post — a Tor page claiming the victim, with a countdown, sample files, and a contact channel.
What a real leak post looks like in code
The HTML of a typical qilin / akira / play leak page is intentionally minimal — these operators are operating on the assumption that browsers visiting their Tor site may be running aggressive content blockers. The structure repeats: victim name, country, sector, sample-file list, countdown, operator contact.
<article class="leak">
<h1>Fab-Masters Inc.</h1>
<ul class="meta">
<li>industry: Custom Metal Fabrication</li>
<li>country: US</li>
<li>revenue: $5–10M</li>
<li>listed: 2026-05-14</li>
</ul>
<section class="proof">
<a href="/samples/internal-financials.pdf">internal-financials.pdf · 4.2 MB</a>
<a href="/samples/employees.csv">employees.csv · 312 KB</a>
</section>
<p class="contact">Contact: qilin_support@... · Tox: 7C35408411AEEBD5...</p>
<p class="timer">Publication in: 96h : 12m</p>
</article>Why paying no longer ends it
The encryption-only model had a clean exit: pay, decrypt, recover. Double extortion broke that. Even if you pay and receive a working decryptor, the data still exists on the operator's storage. The promise to delete it is exactly that — a promise from an actor who runs an extortion business.
~50%
of paid victims later re-listed under a successor brand (industry IR data)
0%
of operators publicly audited deletion claims
72h
median time from leak post to mass-republication on aggregator sites
Encryption-only vs double extortion, side by side
| Encryption-only (pre-2020) | Double extortion (current) | |
|---|---|---|
| Backups defeat it? | Yes — restore + eat downtime | No — backups buy availability, not confidentiality |
| Detection window that matters | Before encryption runs (hours) | Before exfiltration completes (days to weeks earlier) |
| Regulatory clock starts when | Outage declared (sometimes never reported) | Disclosure on leak site (mandatory in most jurisdictions) |
| Paying buys you | Decryption key, full recovery | Decryptor + an unverifiable promise to delete |
| OFAC exposure | Limited (no public ledger of the transaction) | High — operator wallets often pre-listed |
What this means for defenders
The detection window that matters is no longer “before encryption”. It's “before exfiltration” — typically days earlier. The signal lives in egress traffic analytics, unusual file-share reads by service accounts, and the appearance of recon tooling.
# unusual outbound transfer volume from a server-class host
nft list ruleset | awk '/oif "eth0" ip daddr/ { vol[$NF]+=$0 } END { for (h in vol) if (vol[h] > 5e9) print h, vol[h] }'
# rclone / megacmd / 7z spawned by an unexpected parent process
ps -eo pid,ppid,comm,args | grep -E 'rclone|mega-cmd|7z' | grep -v 'svc-backup'
# AD enumeration patterns (BloodHound / ADFind signature)
journalctl _COMM=adfind -S "1 hour ago" --no-pager
journalctl _COMM=SharpHound -S "1 hour ago" --no-pagerHow to use Darkfield to watch the ecosystem
If you want to know whether your organisation or a supplier is currently named on any leak site we monitor, run the name through /tools — it cross-references the full 38k-victim corpus, the public breach catalog, OFAC-listed wallets, and every public Telegram channel and .onion site we crawl. Every match opens a permanent public URL you can hand to your IR team.
For continuous monitoring, group-level pages (see Groups) update as new claims appear; the daily Pulse page is the fastest narrative read on what shifted in the last 24 hours.