Single-extortion is an extortion model in which attackers threaten to publish stolen data unless the victim pays, without necessarily encrypting systems or disrupting operations. The goal is pressure through exposure: if sensitive files, credentials, or customer records are leaked, the organization can face legal, regulatory, reputational, and competitive harm even when services remain online.
This model matters because defenders may miss it if they focus only on ransomware encryption. In real attacks, signs often include unusual authentication activity, suspicious API use, cloud data access, data staging, or large outbound transfers. Defense centers on fast verification, identity log review, endpoint and cloud telemetry, data-loss controls, and limiting access to high-value repositories. If the theft claim is real, the most important question is often not whether files were locked, but whether data was accessed and prepared for publication.



