Evolution of Ransomware: Multi‑Extortion Ransomware Attacks

EVOLUTION OF RANSOMWARE: MULTI-EXTORTION RANSOMWARE ATTACKS

The world of cybercrime has shifted from simple encryption schemes to a sophisticated playbook built around multi-extortion. What started as a straightforward pattern—break in, encrypt files, demand payment for a decryption key—has evolved into a layered threat model that weaponizes stolen data even when it can no longer cripple operations. Today, attackers no longer rely solely on forcing organizations to pay for a key; they leverage exfiltrated information to pressure victims, their customers, and their partners, creating a escalating cycle of risk that touches every sector.

In February 2026, the University of Mississippi Medical Center faced a disruptive ransomware incident that rippled across the health system. The attack hit the Epic electronic health record system, and its effects spread to 35 clinics and more than 200 telehealth locations. The disruption forced the cancellation of chemotherapy appointments and postponed non-emergency surgeries, while clinicians and staff were compelled to revert to paper-based workflows. The human impact of such events is tangible: longer wait times, potential delays in critical care, and increased stress for patients and caregivers navigating care under pressure.

This kind of disruption is not isolated. Recent data indicate a harsh reality for U.S. healthcare: in 2025, about 93% of healthcare organizations experienced at least one cyberattack, and roughly 72% of respondents reported that an incident directly disrupted patient care. The consequences extend beyond the hospital walls. In February 2026, a payment processing network called BridgePay suffered a ransomware incident that compromised its APIs, virtual terminals, and payment pages, highlighting how financial ecosystems intertwine with healthcare and other sectors. Across industries, publicly disclosed ransomware incidents surged 49% year over year in 2025, totaling 1,174 confirmed incidents. When hospitals halt treatments, financial institutions freeze transactions, and manufacturers pause production lines, ransomware ceases to be a distant threat and becomes a direct business risk with tangible operational consequences.

The threat landscape has grown broader still. Today’s cybercriminals pursue a multi-pronged approach that extends beyond encryption and ransom. The double-extortion model, which became prevalent as defenders learned to restore from backups, combines data theft with encryption: attackers first exfiltrate sensitive files—ranging from patient records to billing data—before locking the target’s systems. Victims face two pressures: pay for decryption to restore operations, or risk the public exposure of their stolen data. The risk is amplified because, once data has been stolen, backups may not mitigate the impact if the primary threat is data leakage or regulatory fallout rather than downtime alone.

Even more concerning is the rise of triple extortion. In these cases, attackers do not stop at encrypting data and threatening public exposure; they actively contact a victim organization’s customers or partners to apply additional pressure and complicate incident response and remediation. The effect is a cascading set of consequences that can undermine trust, trigger regulatory scrutiny, and drive reputational damage long after systems are restored.

The expansion of multi-extortion techniques is fueled in part by the increasing availability of AI-powered tools. This technology lowers the barrier to entry for cybercriminals, enabling less sophisticated actors to perform data theft, develop automated phishing campaigns, and refine extortion tactics with greater speed and scale. As a result, the threat landscape has become more dynamic and harder to defend against with traditional perimeter-focused strategies alone.

The numbers behind the trend are striking. By 2025, researchers identified 124 active ransomware groups, with 73 of those being newly emerged—an indicator that new players continue to enter the field and push the boundaries of scale and sophistication. The combination of more adversaries, broader attack surfaces, and faster, more capable tools has elevated ransomware from a specialized cybercrime into a persistent business risk that demands a data-centric defense approach.

Given this reality, the question is not only how to prevent intrusions but how to render stolen data useless to attackers and to maintain continuity even when breaches occur. This is where approaches like data protection that emphasizes post-breach resilience become essential. If exfiltrated data cannot be weaponized, if access to critical files can be blocked, and if rapid recovery is possible without paying a ransom, organizations can disrupt attackers’ core incentives and reduce the severity of multi-extortion campaigns.

A defense architecture for multi-extortion threats must move beyond traditional perimeter protection. It should provide a cohesive, integrated capability set that addresses every phase of an attack: preventing unauthorized access to sensitive data, ensuring that exfiltrated information remains unreadable, and enabling rapid restoration of operations through solid backup and recovery processes. In practice, this means coordinating encryption, access control, and backup recovery in a single platform so that, even if an intrusion succeeds, the attacker cannot leverage data to cause meaningful harm or extended downtime.

One approach to this challenge focuses on encryption-based data protection that spans on-premises and cloud environments. A platform designed to address multi-extortion threats emphasizes three core capabilities: strong, folder-level encryption that protects critical files within designated directories; rigorous access control that ensures only explicitly authorized processes and users can interact with encrypted data; and resilient backup and recovery processes that support rapid restoration without reliance on decryption keys alone. By combining these features, organizations create a barrier that many attackers will find insurmountable: data remains inaccessible and unreadable, even if it has been copied from a live system, and recovery can proceed on a trusted timeline.

Folder-level encryption is a practical approach to protecting sensitive data without wholesale disruption. By encrypting files within administrator-designated folders at the operating system level, organizations can apply robust protection with a deployment model that minimizes user impact. Kernel-level encryption enables fast, secure encryption on existing systems, reducing operational overhead while maintaining performance. The policy framework ensures consistent protection across environments and makes it clear which data is safeguarded, simplifying governance and audits.

Access control complements encryption by restricting interactions with encrypted data. A defense system that enforces strict process and OS-user access policies prevents ransomware and other malicious applications from accessing important folders. When an attempt is blocked, it is logged for auditing and can be reviewed centrally to inform incident response and remediation planning. This layered approach means that even sophisticated malware that escapes initial defenses encounters barriers that are difficult to circumvent.

Backup and recovery complete the triad by ensuring that, in the event of a breach, operations can resume with minimal downtime. An independently managed recovery pathway means it is possible to restore from trusted backups without negotiating decryption keys. In a multi-extortion world, reducing the potential value of stolen data—by rendering it unreadable and inaccessible—becomes as important as stopping the breach in the first place.

To summarize, multi-extortion ransomware changes the implicit calculus of defense. Perimeter-based prevention remains important, but it is no longer sufficient on its own. Organizations must deploy a data-centric security posture that protects information at rest, in use, and in transit, while also ensuring that backups are secure and readily recoverable. The objective is clear: disrupt the attacker’s leverage by destroying the value of stolen data, blocking access to encrypted files, and enabling rapid return to normal operations even when an attack succeeds.

D.AMO: BLOCKING EVERY STAGE OF A RANSOMWARE ATTACK

In this evolving threat landscape, solutions that address multiple stages of a ransomware attack are gaining traction. D.AMO is an encryption-based data protection platform designed to block extortion at every phase of a multi-extortion campaign. It combines file encryption, process-based access control, and backup recovery into a unified defense, helping organizations protect data stores across servers and workstations in both on-premises and cloud environments.

Key capabilities include:

Folder-Level File EncryptionD.AMO encrypts files within designated folders at the OS level, applying kernel-level encryption to enable fast, secure protection without disrupting user workflows. Encryption policies are implemented at the folder level to ensure consistent protection across environments, so sensitive data remains unreadable even if attackers manage to copy it off the system. By preventing unauthorized access to encrypted data, this approach neutralizes the data exposure risk that is central to double extortion.

Access ControlD.AMO enforces strict access control over processes and OS users, permitting only explicitly authorized access. This means ransomware and other malicious programs are blocked from interacting with encrypted folders, reducing the likelihood of destructive file manipulation or data exfiltration. All blocked activity is captured in an audit log, providing a centralized record for security teams to review and respond to incidents.

Backup and RecoveryEven when an attack reaches the stage of encryption, organizations can resume operations through an independently managed recovery system. With D.AMO in place, the ability to restore from secure backups reduces the organization’s dependence on decryption negotiations and diminishes the attacker’s leverage. In a world where multi-extortion has become the norm, rendering exfiltrated data unreadable, preventing access to files, and enabling rapid recovery represent strategic priorities for resilience.

D.AMO’s integrated approach reflects a broader shift in security thinking: fight back against attackers at every stage of an intrusion, not simply at the point of entry. By combining encryption, access control, and recovery into a single platform, organizations gain a cohesive, defendable posture that aligns with the realities of multi-extortion threats.

Want to learn more? DownloadDownload links are provided to explore how D.AMO works across different deployment scenarios and to compare its capabilities with other approaches.

Sponsored and written by Penta Security

ExtortionPenta SecurityRansomware

Comments have been disabled for this article.