Quadruple Extortion: Ransomware’s “So, what” and “What Next?”
8–11–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, August 11, 2025, and the dog days of summer are definitely here in the Pacific Northwest, and it looks like other places as well. Quiet for many of our European colleagues, who remain significantly better at using their PTO than we do here in the states.
Quadruple Extortion: The “So, what” and “What Next?”
A new set of research from Akamai covers the changing techniques being used by ransomware groups in what they’re now calling “Quadruple Extortion” - so I think it’s worth spending some time to look at the evolution that got us to this point, and then build defenses against these latest techniques.
I’ve included the link to the full report, but want to highlight how they lay out the various stages of extortion techniques:
Single extortion, of how it all started, harkens back to simpler times when ransomware actors would breach a target, encrypt the data, and demand a ransom to decrypt it. This quickly evolved into a Double Extortion approach for the sole reason of it generating more revenue for the attackers.
Double Extortion, of course, is where threat actors actively steal data and threaten to exposed that exfiltrated data if ransoms aren’t paid - effectively allowing them to collect ransoms twice (once to not leak, and once to decrypt).
Triple Extortion happens when ransomware gangs take the above techniques and add a Distributed Denial of Service (or DDoS) attack, adding extra operational pressure when a business is reeling from their initial exfiltration and encryption.
Finally, Quadruple Extortion adds the layer of seeing threat actors actively send messages to partners, customers, executives, and others to add social pressure to pay ransoms preventing data exposure.
Akamai notes that they have witnessed groups such as ALPHV/BlackCat, Cl0P, and Lockbit 3.0 all use this quadruple extortion technique in the wild.
They also have some good numbers around frequency - noting that in February 2025 (just a few months ago), Cl0P claimed credit for 385 attacks in less than a month.
One thing that is absolutely clear from this report is the fact that threat actors are evolving, they’re scaling, and they’re using AI and other tools to do it.
Even this morning, threat intelligence firm ZeroFox had coverage of ransomware group DragonForce announcing some ”updates” to their product, on Russian-speaking darkweb forums. This Ransomware As a Service platform has been active since April 2025, and has been noted in the high profile Marks & Spencer breach in the UK, amongst others.
So where do we go from here as defenders?
I think a couple of things are worth noting. First, if you’ve been hoping for ransomware to be a waning threat, I think that’s waiting in vain and you should get in gear instead. It’s here, it’s not going away, and in fact it’s finding ways to scale both velocity and volume of attacks, but also the pressure of their various attack vectors.
We need to be thinking about ways to prevent, detect, respond, and recover from events like this. It’s got to be comprehensive, looking at data, endpoints, network, and identities. We need to be able to manage our people and our machines, apply updates and understand baseline activities, and take every hardening step that we can.
The report includes a couple of projections from a Cybersecurity Ventures report (vested interest, obviously), suggesting that global ransomware costs in 2025 will total $57B, heading to $276B by 2031 - or more than $5B/week. Even if those 2031 numbers are inflated by 100%, that’s still a tremendous impact that’s more than worth mitigating.
The attackers are continuing to evolve. Is your security program?
Fundraising
From a fundraising perspective, we saw more than $17B in newly committed capital, including Carlyle putting up $9b for their 10th U.S. opportunistic real estate fund.
Over in IPO land, Figma seems to have fallen back to earth, with Bloomberg noting the following:
“Figma’s 250% first-day pop was the largest in at least three decades for a US-listed company that raised more than $1 billion, data compiled by Bloomberg show. After further gains last week that lifted the stock to more than quadruple the price IPO buyers paid, Figma is now trading at around $80, down from a peak of $142.92 on Aug. 1.” For those counting at home - that’s about $21B wiped off the board (or about a month of projected ransomware impact in 2031).
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.helpnetsecurity.com/2025/08/05/ransomware-extortion-tactics-quadruple-extortion/
https://www.akamai.com/site/en/documents/state-of-the-internet/2025/ransomware-trends-2025.pdf
https://cybersecurityventures.com/wp-content/uploads/2023/11/RansomwareCost.pdf
https://finance.yahoo.com/news/figma-21-billion-drop-returns-195754034.html