What is extortionware?


Extortionware is the latest stage in the evolution of ransomware. No longer content with simply encrypting a victim’s files, threat actors are increasingly using ransomware incidents as an opportunity to steal huge swathes of sensitive data, which is then used as leverage in high-stakes extortion attempts.

In this blog post, we’ll go over the different types of extortionware, how extortionware has quickly become the norm among ransomware groups and why prevention – rather than reaction – is imperative when dealing with extortionware.

What is extortionware?

Extortionware is a form of cyberattack in which threat actors threaten to harm a target in some way if their demands are not met. Extortionware attacks tend to be highly targeted and typically impact industries that deal with sensitive or high-value data, including the medical, financial and educational sectors.

There are a few different types of extortionware, including:

Why do attackers use extortionware?

Extortionware is typically financially motivated. Victims of extortionware are usually extorted for money, and payments are made almost exclusively in cryptocurrency, which is faster and more anonymous than fiat currencies.

While cyber extortion is not a new concept, it has become increasingly popular among ransomware groups in recent years as threat actors look for new strategies to apply additional pressure to victims.

The rise of extortionware ransomware

The Maze ransomware gang was the first to incorporate extortionware into the ransomware business model. In late 2019, Maze published almost 700 MB of data stolen during a ransomware attack on security services company Allied Universal and announced that more data would follow if the company refused to pay the 300 bitcoin ransom. Data theft and extortionware quickly became standard practice, with dozens of other ransomware groups adopting similar tactics over the course of 2020.

What makes extortionware so valuable for ransomware groups? It mostly comes down to leverage.

Traditional ransomware – that is, malware that encrypts files and does nothing more – can largely be mitigated with an effective backup strategy. While a successful attack is undeniably disruptive, it usually isn’t financially crippling, and victims can often restore their systems relatively easily and get back to business without paying for decryption.

Data theft and extortionware nullify the effectiveness of backups. Regardless of whether the victim can recover their encrypted files from backups, threat actors will always have a copy of the stolen data to use as leverage. The stolen data can be published on the web, sold to other cybercriminals or leaked to industry competitors, which can each lead to enormous reputational damage, loss of business and potential litigation.

Consequently, the victims of ransomware extortionware face enormous pressure to pay the ransom in order to not only decrypt their files but, more importantly, also stop the release of sensitive information. We have even seen some ransomware groups use extortionware as a way to double down on their chances of a payout, demanding one payment for decryption and another for the non-release of stolen data.

What’s the difference between ransomware and extortionware?

While “extortionware” is often used to describe modern ransomware attacks that include a data theft component, we believe that this definition is an imperfect one. The suffix “ware” implies a product, whereas data theft is more of an action – and one which can be accomplished in any number of ways.

So, while “extortionware” is sometimes used interchangeably with “ransomware”, there are some important differences between the two terms.

Prevention is key to stopping extortionware

While a robust backup strategy is an important part of any cybersecurity strategy, the threat of a data leak ultimately makes backups and other disaster recovery tools ineffective for combating extortionware. Instead, organizations must strengthen their perimeters and focus on preventing the initial compromise.

The following best practices may help prevent or limit the impact of extortionware:

Emsisoft Business Security, which features a dedicated anti-ransomware component, is an excellent option for small and medium-sized businesses looking for a reliable cybersecurity solution.


Extortionware is a type of cyberattack in which malicious actors threaten to harm a target unless their demands are met. Increasingly, ransomware groups are using extortionware to nullify backups and as leverage to coerce victims into paying. The only way to truly stop extortionware is to prevent the initial compromise.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial




Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next