Insights
Data Privacy

Double Extortion Ransomware: Why SMB Backups Aren't Enough

Published On
June 1, 2026
Share this post
Insights
Data Privacy

Your Backups Won't Save You From This Year's Ransomware

For about a decade, the advice to small businesses was simple: keep good backups, and ransomware becomes an inconvenience instead of a catastrophe. Lock your files? Fine. We'll wipe the machines, restore from yesterday, and you get nothing.

That advice is now half right, which is worse than wrong, because it makes people feel safe.

The crews hitting small and midsize businesses in 2026 figured out the same thing the rest of us did: backups defeat encryption. So they stopped relying on encryption alone. The modern playbook is double extortion — steal the data first, then encrypt it. Now your clean backup restores your files but does nothing about the copy already sitting on the attacker's server, the one they'll leak unless you pay.

Late May made the point in public. The extortion group ShinyHunters claimed a haul of roughly 42 million records pulled from a major telecom, with the threat to publish as the lever. No encryption needed to do damage — the theft was the attack. And in a separate incident that disrupted finals week at several universities, attackers hijacked login pages and the FBI later warned victims to expect follow-on extortion attempts. Restoring from backup wouldn't have touched either problem.

What "double extortion" actually means for an SMB

Strip out the jargon. There are now two clocks running during an attack, not one.

The first clock is the old one: your systems are down, and you need them back. Backups handle that.

The second clock is new: your data — client records, financials, employee PII, that shared drive nobody ever cleaned out — is already gone, and the attacker is deciding what to do with it. Pay them and maybe they delete it. Don't, and it ends up on a leak site, in a regulator's inbox, or in the hands of whoever buys it next. Backups do nothing here. Neither does cyber insurance, in a lot of cases, once you read the exfiltration exclusions.

For a 40-person company, the second clock is the one that ends businesses. The downtime is survivable. The breach notification letter to every client you have is the part that doesn't heal.

Why small businesses are the target, not collateral

A persistent myth: "we're too small to be worth it." The economics say the opposite. Attackers aren't hand-picking SMBs anymore — they're running automated tooling that finds exposed systems at scale, and increasingly leaning on AI to move faster from initial access to data theft. Security researchers spent this spring flagging exactly that shift: attacks that are quicker, quieter, and harder to catch because a machine is doing the reconnaissance.

Small businesses are attractive precisely because they assume they're not. Thinner IT coverage, flatter networks where one compromised laptop can reach everything, and the genuine belief that "backups" is a security strategy. That combination is the product attackers are shopping for.

The four things that actually blunt it

If backups only solve one of the two clocks, here's what addresses the other one. None of this is exotic — it's just the stuff that gets skipped.

1. Stop the data from leaving in the first place. You can't extort data you never got out the door. That means watching for unusual outbound transfers, locking down where sensitive files can be copied to, and flagging the bulk-download behavior that almost always precedes a leak. This is the single highest-leverage control, and it's the one most SMBs have nothing for.

2. Segment the network so one foothold isn't the whole company. Most SMB networks are flat — compromise one device and you can reach the file server, the backups, and everything else. Segmentation means an attacker who gets in through a phished invoice doesn't automatically get the customer database. It's the difference between an incident and a catastrophe.

3. Make your backups immutable and offline. Backups still matter — they're just not the whole answer. But only if the attacker can't reach them. Modern ransomware specifically hunts for and deletes backups before pulling the trigger. Immutable, offsite copies that can't be altered or erased are what keep the first clock from becoming a second crisis.

4. Have a response plan written down before you need it. The worst time to decide who calls the lawyer, who notifies clients, and whether you're legally required to report is at 2 a.m. during the actual breach. A one-page incident plan — who does what, in what order, with what phone numbers — is cheap to write and priceless the day it matters.

The honest takeaway

The question worth asking your IT provider this quarter isn't "are our backups working?" It's "if someone copied our data out tonight, would we even know — and what's our plan?" If the answer is a shrug, the gap isn't your backups. It's everything that protects the data before the backup ever comes into play. Double extortion is built to exploit exactly that blind spot, and it's the most common shape ransomware takes against businesses your size right now.

Is your business exfiltration-ready?

At Emry Networks we help small and midsize teams close the gap between "we have backups" and "we're actually protected" — monitoring for data leaving the network, segmenting environments, hardening backups, and building the response plan you hope you never open. Book a security posture review. https://www.emrynetworks.com/contact-us

Frequently asked questions

What is double extortion ransomware? It's a ransomware attack with two stages: the attacker steals (exfiltrates) your data, then encrypts your systems. Even if you restore from backup, they still threaten to leak the stolen copy unless you pay — so traditional backup-only defenses no longer fully protect you.

Don't backups protect against ransomware? Backups protect against the encryption half of the attack — they get your systems running again. They do nothing about data that's already been stolen, which is why backups alone are no longer enough against modern double-extortion ransomware.

Why would attackers target a small business? Because they aren't choosing targets one by one. Automated and increasingly AI-assisted tools scan for exposed systems at scale, and small businesses tend to have flatter networks and lighter security coverage — making them efficient, low-resistance targets.

What's the most important control to add first? Data exfiltration monitoring. If you can detect and stop sensitive data leaving your network, you remove the leverage the entire extortion model depends on

Share this post

Read more from our team

Explore insights on compliance and security.

Security

The Mythos Moment

Anthropic just pulled the curtain back on Claude Mythos, a model so capable at finding software vulnerabilities that the company won't release it publicly. Instead, it's going to a coalition of defenders — AWS, Microsoft, Cisco, the Linux Foundation, and 50+ others. Here's what the Mythos moment means for the rest of us.
Read
Managed IT

The Hidden Cost of IT Downtime

Recurring IT downtime drains revenue, slows teams, and weakens customer trust. Structured monitoring and proactive management reduce disruptions and protect operational continuity.
Read
Security

What to Do in the First 24 Hours After a Cyber Attack

The first 24 hours after a cyber incident determine recovery speed and financial impact. Immediate containment and structured response prevent long-term damage.
Read
View all

Ready to strengthen your compliance?

Get hands-on assessment and guidance from our compliance experts.

Schedule a ConsultationSubscribe