Ransomware operators figured out years ago that encrypting an enterprise's data is only half the leverage. The other half, and increasingly the more lucrative half, is exfiltrating sensitive records first and threatening to publish them unless a second ransom is paid. This is double extortion, and it is why the "we have good backups" defense has stopped being sufficient. Backups restore the encrypted side of the attack; they do nothing about the publication side. An architecture that wraps data with its own encryption and policy before it ever touches the operator's environment defeats both legs of the attack at once.
The Double-Extortion Playbook
Modern ransomware operations follow a predictable sequence. Initial access through phishing, exposed RDP, or supply chain compromise. Lateral movement across the network using stolen credentials and known privilege-escalation paths. Discovery and identification of high-value data. Exfiltration to attacker-controlled infrastructure over days or weeks. Encryption of the production environment to maximize operational pressure. Ransom demand, with proof of exfiltration and a public leak site as enforcement.
CISA's #StopRansomware advisory series tracked sustained double-extortion activity by LockBit, BlackCat/ALPHV, Akira, and Royal across 2023 and 2024, with the operators continuing public extortion against victims who refused payment even when the encrypted environments were fully restored from backup. The FBI Internet Crime Complaint Center 2023 report logged 2,825 ransomware complaints to the agency with reported losses exceeding $59 million, a figure that undercounts actual cost because most negotiated payments are not reported. Sophos's State of Ransomware 2024 found the average ransom payment had risen to $2 million, with full recovery costs averaging $2.73 million per incident.
Each stage of the operation depends on a specific data exposure. Initial access depends on credential reuse or unpatched perimeter. Lateral movement depends on flat trust boundaries inside the network. Exfiltration depends on data being readable in transit and at rest. Encryption depends on the operator having write access to the storage layer. Public extortion depends on the exfiltrated data being decryptable in attacker hands.
Where Backups Help, and Where They Stop Helping
A solid backup program restores availability. Immutable backups, offline copies, and tested restoration procedures are necessary controls and they remain necessary. They do nothing for confidentiality. Any data that left the network during the exfiltration phase is already outside the operator's control, and the operator knows it.
The double-extortion model targets exactly this gap. The ransomware operator's leverage is not "you cannot run your business" but "we will publish your customer records, your engineering files, your financial statements." CISA's advisories on the major 2024 ransomware groups consistently flag this as the dominant extortion lever. The defensive logic that ends with backups is incomplete, because backups never address the published side of the attack.
The architecture that wraps data with its own encryption and policy before it ever touches the operator's environment defeats both legs of the attack at once. The operator can still encrypt the environment, but the encryption is irrelevant because the data is already encrypted. The operator can still exfiltrate, but the exfiltration captures ciphertext.
Encrypted Policy-Bound Data as a Defensive Layer
If the exfiltrated data is wrapped in cryptographic enforcement at the object layer, the operator captures ciphertext. Publishing ciphertext is not a credible extortion threat. The business case for the second ransom evaporates.
The architecture that produces this property is data-centric zero trust: every data object carries its own encryption key and policy. The policy decision point (PDP) releases the wrapping key only when the requesting principal's attributes match the object's classification. An operator running a stolen credential or a compromised service account does not carry the attributes the PDP requires, so the read returns ciphertext. The enforcement is fail-closed.
Lattix Technologies implements this with attribute-based access control (ABAC) at the policy enforcement point (PEP), post-quantum key encapsulation through ML-KEM-768 or ML-KEM-1024, and Merkle-tree lineage in tamper-evident audit storage. The exfiltration phase still happens; the operator collects ciphertext bytes. The encryption phase still happens locally; the operator encrypts an environment full of objects that were already encrypted. Neither phase produces the leverage the ransom demands.
What Still Has to Happen
Data-centric security is not a substitute for endpoint detection, network segmentation, or identity hygiene. It is the layer that makes the other layers' failures recoverable. Endpoint detection still has to detect the initial access. Network segmentation still has to slow lateral movement. Identity controls still have to limit credential abuse. What changes is what happens when those controls fail.
In a perimeter-centric architecture, an EDR miss means the operator reaches the data; a segmentation miss means the operator reads the data; an identity miss means the operator authenticates as a privileged user and exfiltrates the data in cleartext. In a data-centric architecture, every one of those misses still produces ciphertext at the operator's exfiltration endpoint. The recovery path is shorter and the public extortion lever is gone.
The property is additive, not substitutive. Existing controls remain in place. The data layer adds the property that the other layers' failures are recoverable, which is the property that determines what a failure costs.
Operational Considerations
Performance overhead is the standard concern. Modern object-level encryption with AES-256 and ML-KEM key encapsulation runs at sub-millisecond per-request overhead for the policy evaluation and key release. Bulk operations amortize the policy evaluation across many records. The cost is real but bounded, and it sits well below the cost of a successful ransomware response.
Legitimate external sharing requires explicit policy paths. The architecture has to support partner access, regulator submissions, and audit pulls without creating carve-outs that ransomware operators can exploit. The policy engine handles this by evaluating the same ABAC expression for every request, internal or external, and accepting external requests only when the requesting principal carries the matching attributes.
Re-keying strategy is the third operational lever. Compromised wrapping keys must be rotatable without re-encrypting every object. Lattix supports this through key wrapping at the object layer: rotating a key authority changes the wrapping path without touching the ciphertext. Operators who captured ciphertext under the old key still hold ciphertext that no one can decrypt with the new key.
The Lattix Position
A fully deployed Lattix posture composes three capabilities into a ransomware-resistant architecture. Cryptographic policy enforcement at the PEP binds policy to the data object, so exfiltrated records remain ciphertext to anyone outside the policy. The data-centric zero trust architecture routes every request through the policy enforcement point regardless of network position. Merkle-tree lineage captures every read and write event in tamper-evident audit, so the post-incident question shifts from "what did the attacker see" to "what objects did the principal request, and which decrypted."
Organizations that already have EDR, network segmentation, and identity hygiene still need the data layer because those controls fail occasionally and the data layer is what determines what failure costs. The architecture is additive: existing controls remain in place; the data layer adds the property that the other layers' failures are recoverable. That property is the one ransomware operators built their business model around exploiting, and it is the one they cannot work around with double extortion.
References
- CISA #StopRansomware Resources
- FBI IC3, 2023 Internet Crime Report
- Sophos, The State of Ransomware 2024
- CISA #StopRansomware Advisory: LockBit Ransomware (AA23-165A)
- CISA #StopRansomware Advisory: BlackCat/ALPHV (AA23-353A)
- NIST SP 800-207, Zero Trust Architecture ����������������������������������������������������������������������������������������������