This article first appeared in Digital Edge, The Edge Malaysia Weekly on May 12, 2025 - May 18, 2025

Ransomware continues to loom as a significant threat to enterprises, evolving in sophistication and scale. In Ensign InfoSecurity’s 2024 Cyberthreat Landscape Report, ransomware-as-a-service (RaaS) emerged as the most common cybercrime model, as the lack of any permanent solution introduced more challenges for law enforcement authorities. In Malaysia, ransomware incidents surged by 53% in just one quarter, rising from 17 to 26 reported cases, according to MyCERT’s Q2 2024 report.

The impact of this surge is not just theoretical. Real-world cases illustrate how ransomware disrupts critical infrastructure and services. One of the most high-profile attacks targeted public transport operator Prasarana Malaysia Bhd. Additionally, in August 2024, the RansomHub ransomware group infiltrated Prasarana’s internal systems, compromising more than 300GB of sensitive data.

As things stand, ransomware is evolving to go beyond encrypting critical files. Attackers are adopting a tactic known as “double extortion”, threatening to leak the stolen information unless their ransom demands are met. This exemplifies the rise of a worrying trend, where ransomware is no longer just about blocking access to data but about using stolen information as leverage.

This shift towards double extortion is a defining feature of today’s RaaS landscape. Traditionally, ransomware attacks involved encrypting a victim’s data and demanding payment for the decryption key. However, 2023 marked a clear shift toward more aggressive extortion tactics. “Double extortion” has now become the preferred approach, where attackers first exfiltrate sensitive data and filter out information that can be used for blackmail. Following this, they threaten to publicly release this data, adding reputational damage and regulatory scrutiny to the immediate operational disruption.

This technique has become widespread on an alarming scale, with 81% of ransomware incidents in 2023 involving double extortion. Its effectiveness lies in its ability to increase pressure on victims. Some cybercriminals have escalated further, deploying “triple/multi-extortion” tactics by threatening additional attacks such as distributed denial-of-service disruptions or direct harassment of customers and employees. According to Semperis, 74% of organisations targeted by ransomware faced multiple attacks within the same year, demonstrating how a single breach can open the door to repeated exploitation.

Beyond financial demands, ransomware groups have become practised at psychological warfare, using shame and fear to coerce victims into paying ransom. One of their most effective tactics is weaponising regulatory requirements. Many countries have strict data breach disclosure laws, which require organisations to report cyber incidents within a set time frame. Attackers exploit this by threatening to leak stolen data, knowing that companies may face large fines and legal trouble if a breach becomes public. A notable example is the ransomware group ALPHV, which took matters into its own hands by reporting its victim MeridianLink to the US Securities and Exchange Commission for failing to disclose the attack within the required four days.

The damage does not stop at legal. Cybercriminals have also resorted to doxxing and direct public humiliation to increase pressure to pay. Some ransomware groups contact journalists, customers or business partners to expose the breach and damage the victim’s reputation. In more extreme cases, they release samples of stolen data on social media, sometimes including personal details of executives to further intimidate them. One example is the Ragnar Locker ransomware group which, in an unprecedented move, purchased Facebook ads using stolen credentials to publicise their attack and ensure the victim’s embarrassment was a widely known public spectacle.

While paying a ransom may seem like the quickest way to regain control after an attack, it is often ill-advised. Cybercriminals track organisations that have previously paid ransoms as prime targets for future extortion. Additionally, in many cases, attackers fail to fully restore access or return with new demands even after payment.

Instead of reactive payouts, organisations must consider endemic defences. This begins with well-tested backup restoration processes. Regular backups alone are insufficient. Organisations must ensure they can swiftly restore systems with minimal disruption.

Prioritisation is also crucial. Companies should identify and fortify their “crown jewels”, or the most critical assets within their infrastructure, using layered security controls that can help detect and neutralise threats before they escalate.

Security awareness remains an essential component of risk mitigation. Despite common misconceptions, most cyberattacks originate from phishing attempts, making employee training crucial in the line of defence. Regular security audits can identify vulnerabilities, ensuring that defences remain effective against evolving threats.

The governments of Singapore and Malaysia are expected to introduce further regulations to combat the rising threat of ransomware extortion. Organisations should proactively align with these evolving guidelines and seek expert guidance when necessary.

However, regulatory measures alone cannot eradicate ransomware threats, as cybercriminal groups frequently rebrand and resurface with new identities. A multi-pronged approach — including stronger policy enforcement, private-sector collaboration and international cybercrime crackdowns — is essential to dismantle these operations at their core.

Jeremy Moke is director of the Ensign Security Operations Centre at cybersecurity firm Ensign Infosecurity

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.