Dual extortion ransomware: what boards must decide before the ransom note

Modern ransomware rarely just encrypts. It steals the data first, then threatens to publish it. That second lever, dual extortion, changes the calculus for a board, because paying for a decryption key does nothing about stolen data that is already gone.

What dual extortion is

The attacker exfiltrates sensitive data, then encrypts systems, then demands payment under two threats: stay down, and we leak what we took. In a hospital the stakes are patient safety and regulated health data at the same time. The technical event is a business and legal event from the first hour.

The decisions a board should pre-stage

Whether to pay, knowing payment does not guarantee deletion of stolen data, may fund a sanctioned entity, and does not undo the breach. Notification obligations, which for health data run on defined clocks and are triggered by the type of data exposed, not by whether you paid. Continuity and patient safety, including when to fail over to manual processes. And law-enforcement and counsel engagement, early, for privilege and coordination.

The trap: deciding on the attacker’s numbers

The extortion note is a sales document, not evidence. The first thirty minutes are for standing up command, engaging counsel, and getting a fact-based scope of what was actually taken, not for a rushed ransom decision. Your notification duties and your negotiation posture both depend on verified scope.

What good looks like

A board that has already discussed these questions makes calmer, faster, more defensible decisions under pressure. The worst time to first consider whether you would ever pay is while the clock is running.

Practice it

We built a healthcare dual-extortion scenario in GraphLattice Range so leadership can rehearse these decisions before an incident forces them.