Trending:
Smartphones Productivity Smart home Mobile Apps Wearables Health tracking Tablets Android

Home » Latest news » Ransomware gangs shift tactics to pure data theft as extortion attacks evolve

News

Ransomware gangs shift tactics to pure data theft as extortion attacks evolve

Posted by Ethan Miller on
6 min. read 0 comments
Security operations center monitors ransomware alert
Security operations center monitors ransomware alert. Photo by CDC on Unsplash.

Ransomware attacks are changing character. Criminal gangs are increasingly skipping file encryption and instead going straight for data theft, betting that the threat of public leaks is more lucrative than locking systems.

This shift affects how organisations should defend themselves. Backups alone are no longer enough, and incident response plans need to account for privacy, regulatory risk and reputational fallout after a data leak.

From locked screens to data leak sites

Traditional ransomware attacks followed a familiar pattern: intruders gained access, encrypted critical files and demanded payment for a decryption key. Over the past few years, most major groups added a second step, threatening to publish stolen data if victims refused to pay.

Now a growing share of attacks are dropping encryption entirely. Gangs break in, quietly exfiltrate large data sets and then contact victims with a simple message: pay for silence or see your information exposed on a leak site or sold to other criminals.

Why criminals are moving away from encryption

Several trends are pushing attackers toward pure extortion. First, more organisations have invested in backup and recovery plans after high profile ransomware incidents. When recovery is possible, the leverage of encryption is weaker and payouts are less predictable.

Encryption itself also carries risk for criminals. Deploying ransomware widely across a network is noisy, often triggers security alarms and can draw law enforcement attention. Data theft can be stealthier, with attackers remaining present for longer and stealing more valuable information.

The rise of multi-layered extortion

Data theft only attacks give gangs more opportunities to pressure victims. They might first demand payment to prevent publication, then threaten to contact affected customers or partners if negotiations stall. Some groups have begun calling executives directly or sending messages to board members and media outlets.

A single intrusion can therefore support multiple revenue streams: initial extortion, sale of data to identity thieves, and reuse of credentials or internal documents in later attacks against suppliers and customers. This layered approach makes each breach more profitable, which in turn attracts more skilled actors into the market.

What this means for backups and disaster recovery

For years, the standard advice on ransomware resilience has focused on backup strategies. Regular, offline backups still matter and can significantly reduce downtime after an incident. But against data theft only attacks, backups do not reduce the attacker’s leverage.

Organisations need to treat backups as one element of a broader resilience plan, not the central defence. Even if systems can be restored quickly, leaders must assume that sensitive data might already be in criminal hands and plan their next steps accordingly.

Industries under particular pressure

Any organisation that stores personal or confidential data is a potential target, but some sectors face disproportionate risk from leak driven extortion. Healthcare providers, for example, hold highly sensitive medical records that patients expect to remain private for life.

Law firms, financial services companies, engineering firms and manufacturers with trade secrets are also attractive. In these environments, a leak can harm clients across many countries, trigger regulatory investigations and erode trust built over decades.

Defensive priorities in the age of data theft ransomware

Data center server racks cybersecurity
Data center server racks cybersecurity. Photo by imgix on Unsplash.

Defending against this new wave of attacks overlaps with classic cybersecurity hygiene, but there are specific priorities that matter more when data exfiltration is the main goal. The first is limiting intruders’ ability to move laterally and reach large data stores.

Network segmentation, strict access controls and the principle of least privilege can significantly reduce the volume of data exposed in a breach. If a single compromised account cannot see everything, attackers are forced to work harder and longer to collect meaningful information, which increases the chance of detection.

Monitoring for quiet data exfiltration

Security teams should look beyond malware signatures and focus on behaviours that suggest data theft. These include unusual database queries, large transfers from internal file servers to unfamiliar destinations and atypical use of remote access tools.

Data loss prevention tools, cloud access monitoring and carefully tuned alerts for anomalous network activity can help. While such systems cannot stop every exfiltration attempt, they can shorten the time between initial compromise and detection, reducing the amount of data that leaves the network.

Preparing for the worst case: incident and communication plans

Because leak driven extortion directly involves customers, employees and regulators, response plans must include legal, communications and compliance teams from the beginning. Waiting to involve them after a ransom note arrives often leads to confusion and inconsistent messaging.

Organisations should predefine who is authorised to negotiate with attackers, when to contact law enforcement and which external partners, such as forensic firms and specialist legal advisers, will be engaged. Clear decision paths can prevent panic and reduce costly delays.

Balancing ransom payments and public interest

Whether to pay a ransom remains a contentious question. Many governments discourage payments on the grounds that they fund further criminal activity and do not guarantee data will be destroyed. In some jurisdictions, payments to sanctioned groups may be illegal.

Boards and executives must weigh legal advice, regulatory expectations and the long term reputational impact of both payment and non-payment. Documenting the reasoning behind any decision and being prepared to explain it to stakeholders is now an essential part of governance.

Practical steps organisations can take now

Although the threat landscape is complex, several concrete actions can reduce the risk and impact of data theft ransomware attacks.

  • Inventory and classify data, so the most sensitive information receives the strongest protection and monitoring.
  • Harden remote access, including VPNs and remote desktop tools, with strong authentication and tight access rules.
  • Regularly test incident response plans with realistic exercises that include data leak scenarios.
  • Review contracts and data processing agreements with suppliers, since attacks often propagate through trusted partners.
  • Train staff on phishing, reporting suspicious activity and the importance of not reusing passwords across services.

No single control can eliminate the risk, but a layered strategy can turn a potential catastrophe into a manageable incident. As ransomware gangs continue to innovate, organisations that adapt quickly and treat data protection as a core business issue will be best positioned to withstand the next wave of extortion attacks.

Data ProtectionEnterprise ITImportantRansomwareThreat Intelligence
Written by Ethan Miller
I cover software, AI, and emerging technology, turning complex updates into clear, practical blog posts.
View profile

0 comments

Also read