Single-extortion ransomware (encrypt the data and demand payment for the key) was the model through 2019. Double extortion (also exfiltrate the data and threaten to leak it) became standard around 2020. Triple and quadruple extortion are what’s happening when even that combination doesn’t get the victim to pay. In 2026, the well-resourced operators stack four or five pressure vectors per incident.
The five vectors operators stack
Encryption. The original lever. Hold operations hostage until paid. Mostly bypassed by good backups and cloud-based recovery in 2026.
Data leak. Threaten to publish exfiltrated data on a leak site. Effective on regulated industries and any company with embarrassing internal communications, less effective on companies with mature comms and legal teams.
Distributed denial of service. While negotiations are underway, knock the victim’s public-facing services offline. Adds revenue loss to the pressure mix and signals capability beyond ransomware. Some operators run their own DDoS infrastructure; others lease.
Customer and partner outreach. Email or call the victim’s customers and business partners directly to inform them of the breach. The reputational damage compounds the leak threat, the news gets out regardless of whether the operator publishes anything publicly.
Regulatory and SEC reporting. The newest vector. Operators file SEC complaints (or threaten to) about public companies that haven’t disclosed the breach within the four-day window required by the 2023 SEC cybersecurity rule. ALPHV pioneered this in late 2023; it’s now standard tactic.
The pattern across the negotiation
Operators don’t deploy all five at once. They escalate. The pattern we see most often: encryption ransom demand on day one, exfiltration threat on day three when initial negotiations stall, customer outreach by day seven if no progress, DDoS or regulatory threat by day ten. Each escalation is timed to maximise pressure on internal-stakeholder dynamics inside the victim, to make the CFO push harder for “let’s just pay” by day twelve.
The operators who run this playbook well treat it as a sales process. They have scripts for each escalation. They have specific titles they target outreach to. They know which extortion vectors work in which industries.
Defender response patterns
The good news for defenders is that each additional vector is also a detection opportunity. The customer-outreach phase generates inbound queries from confused customers, a CRM ticket spike correlates with active extortion. The DDoS phase shows up on edge monitoring. The regulatory-threat phase often comes through an attorney or PR firm before it reaches your CEO.
Build the cross-functional incident-response runbook to expect the escalation. The IR teams that play this well are the ones who pre-coordinate with legal, comms, customer success, and the SEC-disclosure process before an incident, so the operator’s pressure tactics don’t introduce surprise into a process that’s already operational.
The structural takeaway
The escalation arms race is happening because basic ransomware doesn’t get paid often enough anymore. As defender controls (backups, EDR, segmentation) reduced the leverage of encryption alone, operators added vectors. As leak-site fatigue reduced the leverage of data-leak threats alone, they added DDoS. As communications maturity reduced the impact of customer outreach, they added regulatory threat.
The next vector, when it arrives, will be designed to defeat the next defender control. The pattern is predictable. The specific vector is not. Plan for what extortion looks like in 2027, not what it looked like in 2024.