How extortionware, cyberextortion and ransomware differ
Prevention is the only line of defense against an extortionware attack. Learn how extortionware works and why it can be more damaging than ransomware.
All businesses process, store and transmit customer, partner and company data. This data ranges from internal documents to price lists to HR notes on employee behavior. If released to the public, however, this information could cause tremendous embarrassment and potential legal troubles for an organization.
The confidentiality and importance of such data make it a ripe target for threat actors looking to extort money from their victims.
Let's look at extortionware and ransomware and see how they fit into the larger cyberextortion picture.
How does extortionware work?
In most cases, extortionware uses traditional malware to infiltrate a company's digital resources. Once access is gained, the victim's data is stolen and analyzed to identify information that can be used against them. Cybercriminals then contact the victim and threaten to release sensitive, embarrassing or otherwise valuable information to the public unless the victim meets the criminals' demands. Typically, the demands are monetary in nature and involve the transfer of cryptocurrency.
How does ransomware work?
Ransomware is malware that locks and encrypts a victim's digital resources, ranging from select data to the entire computer system, making them inaccessible until a ransom payment is made to the attacker. Ransomware is usually distributed through an infected attachment or malicious link.
Once ransomware has infected a user's system, cybercriminals search for files containing sensitive data, such as personally identifiable information, financial data and health records. Users are then contacted by the attacker and made to pay a ransom to receive a decryption key to decrypt their files or to regain access to their system.
This article is part of
What is ransomware? Definition and complete guide
Comparing extortionware vs. ransomware vs. cyberextortion
Extortionware and ransomware both fall into the category of cyberextortion crimes. As an umbrella term, cyberextortion covers a range of malicious activities to blackmail an organization or a specific person. Cyberextortion can take a variety of forms, including DDoS attacks, doxing, extortionware and ransomware.
Extortionware might sound a bit like ransomware, and it is. Both ransomware and extortionware access and exfiltrate company data, usually with the intent of making money off the company from which it was stolen.
Unlike ransomware, which forces the business to either pay up or lose access to the stolen data, extortionists threaten to publicly release the collected information. This often pressures the business to comply, which increases the likelihood that the victim will adhere to the extortion demands.
Ransomware variants, however, include extortionware features. Double extortion ransomware, for example, is when a malicious actor encrypts or locks access to systems and also threatens to release data stolen during the attack.
How risky is cyberextortion?
A business that takes steps to protect its backups can mitigate the dangers of cyberextortion. With ransomware, for example, clean backups make it possible for an organization to restore data that attackers have encrypted.
Those offline backups prove worthless, however, when cybercriminals threaten to release data rather than delete it. As such, the only way to combat extortionware is to prevent it from happening in the first place. This distinction makes extortionware a greater threat than ransomware.
Despite the risk, ransomware remains far more common than extortionware.
The reason is simple: Extortionware takes more effort. Hackers can automate ransomware and cast a wide victim net. In some cases, cybercriminals even outsource part of the process. Extortionware, however, requires a more targeted approach. Extra effort and more time are needed to review stolen content to determine if any of the information can be used for extortion purposes. Thus, extortionists usually do their homework before attacking to ensure a target is worth the effort. All this means that an extortionware attempt is much more complicated to perpetrate than a ransomware attack.
How to prevent cyberextortion
Ransomware prevention best practices also apply to preventing extortionware. Cyberextortion prevention measures include the following:
- Installing antimalware.
- Conducting user cybersecurity training and ransomware-specific training so that employees know their responsibilities
- Following a defense-in-depth security program.
- Keeping systems and software current with patches.
Ransomware is the more common form of cyberextortion, but extortionware can cause damage well beyond the financial loss from paying a ransom.
Editor's note: This article was updated in July 2025 to add additional information.
Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.
