Double Extortion Ransomware: Why Backups Alone Aren't Enough
Data exfiltration appears in 96% of BlackFog-tracked Q1 2026 ransomware incidents. Backups restore access but don't resolve data exposure. Here's what actually protects your business.
Data exfiltration appears in 96% of BlackFog-tracked Q1 2026 ransomware incidents. Backups restore access, but they do not resolve data exposure.
A clean backup can get your business running again after ransomware encryption. It cannot remove a copy of your data from an attacker's server.
That distinction matters more in 2026 than it used to. BlackFog's Q1 2026 ransomware report found data exfiltration in 96% of the incidents it tracked, with average exfiltration reaching 743GB and an average negotiation deadline of 7.7 days. Those figures don't mean every ransomware case is identical — but they show why backups alone no longer answer the full risk. Backups solve recovery. Double extortion creates a separate problem: exposure.
Affiliate Disclosure: This article contains affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you.
About the data in this article
The figures here come from different slices of the threat landscape, so treat them as trend indicators rather than one universal statistic. The 96% exfiltration figure is from BlackFog's Q1 2026 ransomware report. The 22% data-incident figure is from Arctic Wolf's 2026 Threat Report incident-response caseload. The 38% encryption decline is from the Picus Red Report 2026, which maps malware behavior to MITRE ATT&CK.
What we see on the first call
The call often opens the same way: "We got hit, but we're fine — we have backups." The relief is real, and for the encryption half of the problem, it's justified. The hard part of the conversation is the next sentence, when we have to explain that getting their files back doesn't address the copy the attacker already took. The business that prepared only for a lockout is, at that moment, unprepared for the data-exposure side of the incident.
Do backups still protect against ransomware?
Backups protect recovery. They do not protect confidentiality.
For years, the first ransomware question was simple: do we have backups? It was reasonable advice, and we gave it. Ransomware was largely a denial-of-access problem — attackers encrypted your files and sold you the key, so a tested restore meant you didn't have to pay. The 3-2-1 backup rule, immutable snapshots, tested restores: that advice was correct, and it remains correct.
What changed is where the attacker's leverage sits. As businesses got better at recovery, many attackers stopped betting everything on locking you out. They now copy your data first and use the threat of publishing it as the real pressure. A restore brings your operations back; it does nothing about the copy already sitting on someone else's server. You can have perfect backups and still face a genuine extortion threat.
What is double extortion ransomware?
Double extortion combines file encryption with a threat to leak stolen data.
Double extortion hits you with two demands instead of one.
- Encrypt to deny access. The classic move — your files are locked, and you pay for the key.
- Steal a copy to threaten exposure. Before encrypting, the attacker quietly copies your sensitive data off the network. Now, even if you restore from backup and ignore the decryption demand, they threaten to publish or sell what they took.
The second demand is often where the lasting business risk appears, because it survives a perfect recovery. Here is the shift in plain terms:
| Encryption-first model | Data-extortion model |
|---|---|
| Encrypt files, demand payment for the key | Steal data first, then encrypt (or skip encryption) |
| Leverage = your lost access | Leverage = their copy of your data |
| A clean backup may restore operations | A clean backup doesn't resolve the data exposure |
| "Can we get our data back?" | "Can they hurt us with a copy we can't delete?" |
Triple extortion adds a third layer of pressure on top of those two. Instead of just threatening you, the attacker also goes after the people around you: emailing your customers to tell them their data was stolen, pressuring your business partners, threatening to report you to regulators, or launching a denial-of-service attack to knock your site offline until you pay. The point of every added layer is the same — to make paying feel cheaper than the consequences of not paying.
A short, concrete scenario: an attacker phishes one employee, spends a week quietly mapping your shared drives, copies your client folder and accounting files to their own server, and then triggers the encryption. You restore from backup by Wednesday and you're operational. On Thursday, you get an email with a sample of your own client contracts attached and a deadline. Your backups did their job perfectly. They were never going to help with this.
Why don't backups stop data leaks?
A backup restores your copy. It does not delete the attacker's copy.
This is the core distinction many businesses miss, so it's worth stating plainly: backups solve availability, not confidentiality.
Availability is "can I get to my data?" A backup restores that — it gets your files back after they've been encrypted, deleted, or corrupted. That is genuinely valuable and you should never give it up.
Confidentiality is "is my data still private?" Once a copy of your data is sitting on a criminal's infrastructure, that question is already answered, and no backup can change the answer. Restoring a file creates a working copy for you. It does nothing to the stolen copy. You cannot back up your way out of a leak, because the leak is a problem of exposure, and backups were never built to address exposure.
Here is the part that surprises people most: this is true even for a textbook setup. A perfect 3-2-1 backup configuration with immutable, ransomware-proof snapshots still leaves the leak threat completely intact. Immutability protects the backup from being encrypted or deleted by the attacker — it's a recovery guarantee. It is not, and was never designed to be, an exfiltration control.
The one-line takeaway
Backups answer "can we recover?" They say nothing about "can they leak it?" In many modern cases, the attacker's leverage shifts to that second question — and that's the one your backup strategy doesn't cover.
None of this is an argument against backups. It's an argument that the job description for backups never included stopping a leak, and the threat has moved into exactly that gap.
What usually goes wrong in small business ransomware incidents?
The hardest cases usually lack visibility, segmentation, logs, and a response plan.
The "we have backups, so we're fine" first call is the recurring pattern, and the gap between that confidence and the actual situation is where the real difficulty lies. After working through these incidents with South Florida businesses, the cases that go badly tend to share the same missing pieces — and they're rarely the pieces anyone budgeted for.
The incidents that turn into drawn-out extortion tend to share several of these gaps in common:
- No detection of data leaving the network. The business could tell when files got encrypted, because that's loud and obvious. They had nothing watching for hundreds of gigabytes quietly moving out over the days before.
- Flat networks with no segmentation. One compromised laptop could reach the file server, the accounting system, and the backups, because everything lived on the same open network. The attacker didn't have to work to find the valuable data — it was all one hop away.
- No logging to even know what was taken. When the extortion email arrives, the first question is "what did they actually get?" Without logs, that question can't be answered, which makes both the legal exposure and the negotiation far worse.
- No tested response plan. There was a backup plan, but no incident plan — no agreed first call, no idea who decides whether to involve counsel or law enforcement, no sense of notification obligations.
The cleaner cases — the ones that stayed contained — weren't the ones with the biggest security budgets. They were the ones where someone could see unusual data movement and act on it early, where a compromised machine couldn't reach everything, and where there was a rehearsed plan for the first 24 hours. The difference between a bad week and a business-threatening event was rarely the backups. Both groups usually had those. The difference was everything built around detecting and containing the theft.
That's the uncomfortable lesson: the control that would have helped most was almost never the one the business had spent the most on.
What is data-only extortion?
Data-only extortion skips encryption and uses stolen files as leverage.
Double extortion is already common. The sharper trend is attackers skipping encryption entirely and going straight to theft and extortion.
Arctic Wolf's 2026 Threat Report found that data incidents rose from 2% to 22% of its incident-response cases in a single reporting period — an 11x jump — as some attackers moved directly to theft and extortion. Separately, the Picus Red Report 2026 recorded a 38% drop in the "Data Encrypted for Impact" technique across its malware dataset. Both measure different slices of the landscape, and neither is a market-wide headcount — but they point the same way.
The logic is straightforward from the attacker's side. Encryption is loud, it's destructive, and — thanks to better backups — it increasingly fails to produce a payday. Stealing data quietly and threatening to publish it is cheaper to pull off, harder to detect, and plays on a fear that backups can't address. This is the same direction-of-travel we see in the AI-written malware story: attackers industrializing the cheap, scalable parts of the attack and dropping the expensive ones.
For a backup-confident business, this is the key point: if there's no encryption event, your backups never even come into play. There's nothing to restore. The attack is invisible until the extortion demand lands, and by then the only thing that mattered was whether you could have detected and stopped the data from leaving in the first place.
How can small businesses reduce data-exfiltration risk?
The goal is to stop entry, limit movement, and detect data leaving — before the demand arrives.
Backups are the recovery floor. The layers that address exposure sit on top of them. None of this is exotic; it's the standard set of controls a competent IT provider should already be discussing with you. Here's the practical model, with the question to put to your provider for each layer:
| Layer | What it helps prevent | What to ask your IT provider |
|---|---|---|
| MFA and email security | Stolen-password and phishing/ClickFix access | "Where is MFA enforced, and where is it still optional?" |
| EDR or MDR | Silent attacker behavior on endpoints | "Are we using full EDR/MDR, or only antivirus?" |
| Network segmentation | One infected device reaching everything | "Can one employee laptop reach our file server and backups?" |
| Least privilege | Excessive data access from one account | "What can a single compromised account actually touch?" |
| Exfiltration monitoring | Large or unusual outbound transfers | "Would we know if 100GB left the network overnight?" |
| Immutable backups | Loss after encryption or deletion | "When was our last successful restore test?" |
| Logging and retention | Not knowing what was taken | "How far back can we investigate file access and logins?" |
Three of these deserve a note on tooling, because the product names get blurred in marketing:
- EDR vs. antivirus. Traditional antivirus recognizes known-bad files; EDR watches behavior and can catch an intruder during the quiet reconnaissance phase. Be precise about tiers when you buy: Bitdefender GravityZone's base Business Security is prevention-focused, while full EDR sits in its Business Security Enterprise tier (XDR is a further add-on). Our cybersecurity software guide compares the options. If someone has already clicked, your phishing-link response steps matter more than your backups.
- Backup-plus-security tools. Acronis Cyber Protect bundles backup with anti-malware and some exfiltration-related detection, which is genuinely useful — but treat it as backup-plus-security integration, not a full replacement for dedicated data-loss prevention, network detection, segmentation, or a response plan.
- Immutable backups remain the floor. A Synology immutable-snapshot setup is the right recovery foundation. Hold it in its proper place: it guarantees you can rebuild, and it does nothing about the leak.
No single tool solves double extortion. The product matters less than whether the control is actually deployed, monitored, and tested. For a structured rollout without a dedicated security team, our breach-prevention guide lays out a 90-day plan that maps closely to this list.
Not sure which layers you already have?
A security assessment should answer four plain questions: whether your backups actually restore, whether your endpoints are monitored, whether sensitive data is segmented, and whether an unusual outbound transfer would be detected. If you can't answer all four with confidence, that's the gap. We run this kind of review as part of our cybersecurity services for businesses across South Florida.
How can small businesses detect data exfiltration?
The aim is to spot unusual data movement before the attacker sends the demand.
This is the layer most businesses are missing, and it's the one aimed squarely at the 2026 threat. The detection gap is real: in ExtraHop's 2026 Global Threat Landscape Report — a survey of larger organizations — 49% didn't detect the threat until after data was stolen (up from 31% a year earlier), and attackers sat in networks for roughly 2.5 weeks on average before being noticed. Smaller businesses with thinner monitoring are not better off.
You don't need an enterprise security operations center to watch for the common warning signs:
- Large outbound transfers, especially outside business hours
- New use of archive tools (zip, 7-Zip, RAR) to compress shared folders
- Unusual uploads to consumer cloud-storage or file-sharing services
- Admin or user logins from unfamiliar locations
- Remote-access tools appearing on machines that never had them
- A spike in file access by a single user account
- Firewall or DNS logs showing connections to unfamiliar destinations
It helps to map these to where they appear in an attack, so you know which control catches what:
| Attack phase | What attackers do | Control that helps |
|---|---|---|
| Initial access | Phishing, stolen password, exposed VPN/RDP | MFA, email filtering, patching |
| Discovery | Map shares, users, backups, finance folders | EDR/MDR, logging, least privilege |
| Collection | Zip or stage sensitive folders | File auditing, alerting, access review |
| Exfiltration | Upload to cloud, VPS, or file-sharing site | Outbound monitoring, firewall alerts |
| Encryption | Lock files or servers | Immutable backups, segmentation |
| Extortion | Threaten leak, customers, regulators | IR plan, counsel, insurance, notification workflow |
What should a business decide before a ransomware incident?
The first 24 hours go better when legal, insurance, IT, and leadership roles are already clear.
These are questions worth answering on a quiet afternoon, not at 9 p.m. during an active extortion. For Florida businesses, a data-theft incident can trigger notification obligations even if systems are restored quickly — the clock is driven by unauthorized access to personal data, not by whether anything was encrypted.
Florida business note: recovery doesn't end the breach question
Under the Florida Information Protection Act, a covered entity must generally notify affected individuals no later than 30 days after determining a breach occurred (or having reason to believe it did) — subject to exceptions for a law-enforcement delay, a documented good-cause extension, and a documented determination that the breach is unlikely to cause harm. Breaches affecting 500 or more Floridians also require notice to the Department of Legal Affairs; those requiring notice to more than 1,000 individuals add notice to nationwide consumer reporting agencies. If you handle health data, HIPAA sets a separate 60-day outer limit for individual notice (with HHS and media notice required at 500+ individuals). This is general information, not legal advice — confirm your specific obligations with counsel before sending notices. Our security and compliance guide covers how these overlap.
Before an incident, decide who owns each of these:
- Who calls the cyber-insurance carrier — and do your current controls (MFA, EDR, tested backups) meet the policy's conditions, so a claim isn't denied?
- Who contacts legal counsel to confirm notification obligations before any notice goes out
- Who preserves logs and forensic evidence — and who can isolate systems without destroying that evidence
- Who approves customer or regulator notifications
- Where the incident plan is stored if the network itself is unavailable
A plan you've never rehearsed is a document, not a plan. The disaster-recovery guide covers building one you can execute under pressure.
What should you ask your IT provider about ransomware protection?
A real plan proves recovery, detection, containment, and response — not just backups.
If you do nothing else after reading this, put these five questions to whoever runs your IT:
- Are our backups immutable, offsite, and restore-tested?
- Do we have EDR or MDR on every endpoint, or just antivirus?
- Can one compromised device reach our sensitive shared folders and backups?
- Would we detect a large outbound transfer to cloud storage or an unknown destination?
- Do we have an incident-response plan that includes legal, insurance, and notification steps?
If the answers are vague, that's your roadmap.
The honest bottom line
Backups are still required. They are just not the whole ransomware plan anymore.
A tested, immutable backup answers one essential question: can we recover operations? Double extortion adds a second: can stolen data be used against us? A modern small-business plan needs both sides covered — recovery through immutable backups, and exposure reduction through MFA, EDR or MDR, segmentation, exfiltration monitoring, least privilege, logging, and a rehearsed response plan.
If you are not sure which layers you have, that is the right question to bring to a security assessment — we help South Florida businesses map real exposure, not just their recovery plan.
Related Resources
- The 3-2-1 Backup Rule: Why It Still Works — The recovery foundation this article positions as necessary but no longer sufficient.
- Synology Active Backup for Business Guide — How to build immutable, ransomware-proof recovery — the floor of any defense.
- Best Cybersecurity Software for Small Business — EDR and endpoint protection options that catch intrusions before exfiltration.
- Cut Your Breach Risk in 90 Days — A practical rollout plan for the prevention layers backups can't provide.
- AI-Written Malware and the Slopoly Ransomware Threat — The parallel 2026 shift on the malware side of the same attacks.
- Small Business Disaster Recovery Guide — Building and testing the incident response plan section 7 calls for.
Frequently Asked Questions
Related Articles
More from Cybersecurity
AI-Written Malware Is Here: What the Slopoly Ransomware Attack Means for Your Business
IBM X-Force confirmed the first production AI-generated malware in a live ransomware attack in early 2026. Here's what changed, why it matters, and what to do about it.
17 min read
What Happens When Your Business Gets Hacked: A Real-World Timeline
A practical, phase-by-phase timeline of what happens when a small business gets hacked — from discovery through recovery — with verified 2025 data and actionable guidance at each stage.
16 min read
Your Employee Just Clicked a Phishing Link. What Do You Do in the Next Hour?
Your employee clicked a phishing link. Follow these 6 steps in the next 60 minutes to contain the threat, protect your data, and prevent the incident from escalating into a full breach.
19 min read