Ransomware and Double Extortion: Why Backups Alone Don't Save You Anymore Artwork

Plaintext with Rich

Cybersecurity is an everyone problem. So why does it always sound like it’s only for IT people?

Each week, Rich takes one topic, from phishing to ransomware to how your phone actually tracks you, and explains it in plain language in under ten minutes or less. No buzzwords. No condescension. Just the stuff you need to know to stay safer online, explained like you’re a smart person who never had anyone break it down properly. Because you are!

All Episodes

Plaintext with Rich

Ransomware and Double Extortion: Why Backups Alone Don't Save You Anymore

January 30, 2026 • Rich Greene • Season 1 • Episode 10

0:00 | 8:26

You don't get locked out first. You get watched. Someone maps your systems quietly, copies your data quietly, and waits until they're sure you can't avoid the conversation. Only then do the screens go dark.

This episode breaks down how ransomware actually works today and why double extortion changed the stakes completely. It explains how modern ransomware operations move slowly at first, stealing credentials and exploring systems before copying data and triggering encryption. The real leverage isn't locked files, it's the threat of publishing what was already taken. The episode walks through the most common entry points (phishing, reused credentials, unpatched remote access, over-privileged vendors), why ransomware crews now operate like supply chain businesses, and what to do during an incident. The starter kit covers immutable backups, multi-factor authentication, fast patching of internet-facing systems, administrative sprawl reduction, network segmentation, endpoint detection, credential hygiene, and building a one-page incident response plan.

Whether you're a small business owner who thinks you're too small to be targeted or a leader who needs to understand why backups alone no longer solve the problem, Plaintext with Rich lays out the new reality.

Is there a topic/term you want me to discuss next? Text me!!

YouTube more your speed? → https://links.sith2.com/YouTube
Apple Podcasts your usual stop? → https://links.sith2.com/Apple
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord
Follow the human behind the microphone → https://links.sith2.com/linkedin
Need another way to reach me? That’s here → https://linktr.ee/rich.greene

From Lockouts To Leverage

SPEAKER_00 0:00

You don't get locked out first. You get watched. Someone maps your systems quietly, copies your data quietly, waits until they're sure you can't avoid the conversation. And only then do the screens go dark. Not to get your attention, but to force a decision. Welcome to Plain Text with Rich. Today we're breaking down ransomware and something that changed the stakes completely, double extortion. Let's start by grounding the word itself. Ransomware in plain text is when attackers break into a system, lock the data so you can't use it, and demand something to unlock it. Money, Bitcoin, something, right? That's the original model. Access held hostage. But that description is now incomplete because modern ransomware rarely starts with encryption. It starts with access. And it rarely ends with files being locked. It ends with leverage. That shift is what makes this topic actually matter. Early ransomware was blunt. Encrypt fast, demand payment, hope the victim didn't have backups. Today's ransomware operations behave differently. They move slowly at first. They steal credentials, they explore systems, they figure out what matters most. Then they copy the data. Only after that do they trigger some type of encryption. But why? Because encryption can be undone with backups. Stolen data can't. And that's where double extortion comes into play. Now, double extortion means the attacker applies pressure in two directions at once. They first come at you, hey, pay us, or you don't get your systems back. And then secondly, pay us or we publish what we already took. Or even worse, in now cases, they report you to regulatory bodies. And this is things like customer data, contracts, emails, HR files, source code. Sometimes they add more pressure. Again, contacting customers directly, notifying partners, posting samples publicly to prove they're serious. At that point, ransomware stops being a technical problem and it becomes an operational crisis. It can be a potential legal problem, a communications problem, and sometimes a business survival problem. So how does an organization end up here? Well, not through one magical exploit, I can tell you that. Ransomware succeeds because access paths pile up. The most common entry points as most things are boring. Phishing that steals credentials, passwords reused from old breaches, remote access exposed to the internet without strong authentication, VPNs and appliances that weren't patched quickly, third-party vendors that had broader access than they needed. Notice the pattern. Ransomware isn't about brilliance, it's about patience. Attackers try doors until one opens. And once they're in, they don't rush. They escalate privileges, they disable defenses, they look for backups because the leading backups before encryption increases their leverage. That's why modern ransomware crews operate like actual businesses. Different groups specialize in different steps. Some focus on the initial access, some build the malware, some negotiate, some handle payments. It's not chaos. It's honestly a supply chain crime. Which brings us to the most important question: what actually helps us here? Not fear, not perfection, you bet it's design. Here's our plaintext ransomware starter kit, right? I'd say ordered by impact. Again, I would focus on these. First, backups that attackers can't touch. Three copies of critical data, two different storage types, one copy offline, or immutable. Immutable simply means it cannot be altered or edited. And test restorers. Untested backups are a story that you tell yourself. You don't want those. You never want to rely on hope. Second, as always, multi-factor authentication on everything that actually matters. Again, email, remote access, admin accounts. Stolen passwords should not be enough to simply walk into your network. Third, patch internet-facing systems fast, your VPNs, remote access tools, firewalls, email gateways. These are your front doors. They don't get eventually, they get right now. Fourth, reduce administrative sprawl. Not everyone needs admin rights. Most people need them never. One compromised admin account should not equal total control. Fifth, segment our networks. Ransomware spreads laterally. If one machine can see everything, well then one infection can hit everything. Segmentation limits our blast radius. Those five steps alone eliminate a massive percentage of real-world ransomware cases. As always, if you can go further, I would throw these on you. Endpoint detection to spot abnormal behavior early, credential hygiene with password managers, and separate admin accounts, monitoring for unusual logins and privilege changes, and a simple incident response plan. Not a binder, page or two. Who decides? Who calls legal? Who talks to customers? Who shuts systems down? You don't want to invent this during an attack. Now let's talk about the moment nobody wants. What do you do during a ransomware incident? Hey, plain text, act deliberately, not emotionally. Isolate affected systems quickly to stop spread. Preserve evidence so you can understand what happened. Bring in experienced responders early. Determine what was accessed and what was taken. Communicate with one voice and verified facts. And yes, involve legal early. Data theft changes obligations. The question everyone asks comes next. Should we pay? And there is no universal answer here. Paying does not guarantee decryption. It does not guarantee silence. It can increase future targeting. But some organizations pay when they believe it's the least harmful option to protect people or keep essential services running. That's why preparation matters more than judgment calls. If your backups work, your access controls are strong, and your network is segmented, you're far less likely to face a payer collapse decision. The best ransomware negotiation is the one you never need. Let's try to clear up a few myths, shall we? Myth number one, we're too small to be targeted. The reality, small organizations are targeted constantly because defenses are lighter. Myth number two, antivirus will stop ransomware. Hey, the reality behind this, ransomware is a campaign, not a file. Myth number three, backups solve everything. The reality there is backups handle encryption, not data leaks. Double extortion changed the rules here. All right, so that's not always the case. Now, tested backups do provide you a far greater defense. All right. So let's put this all in plain text for us. Ransomware today is about leverage, not locks. Double extortion adds reputational and potential legal pressure to technical disruption. Our good security design assumes attackers get in sometimes. The goal is to limit how far they go and how much damage they can cause. If you take one thing away from this episode, please take this away. Backups buy you recovery, access controls by prevention, segmentation buys containment, preparation buys options. That's how you reduce both the odds and the impact. Now, if there's a security topic that you want broken down in plain text, please send it my way. Email, DMs, comments, however you choose to reach out to me, I will read, I will respond to. If this episode helped, I would ask you to please share it with someone who'd actually benefit. This has been Plain Text with Rich. 10 minutes or less, one topic, no panic. I'll see you next time.