Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jan 30, 2026 · 5 min read

Ransomware Gangs Are Ditching Encryption—They Just Steal Your Data Now

Better backups made encryption less effective for extortion. Now criminals simply steal sensitive data and threaten to leak it. Total extortion incidents hit 6,182 in 2025, up 23 percent from the previous year.

Data files being extracted from a server through a digital tunnel, representing data exfiltration

For years, the ransomware playbook was simple: encrypt the victim's files and demand payment for the decryption key. Organizations responded by improving their backup systems. Today, roughly 97 percent of companies with encrypted data can recover it without paying.

So criminals adapted. Instead of encrypting files, they now simply steal them and threaten to publish the data unless victims pay.

This shift from encryption to pure data theft is reshaping the ransomware landscape. In 2025, total extortion incidents reached 6,182, a 23 percent increase over 2024. And the trend is accelerating.

Why Encryption Lost Its Power

The ransomware industry evolved because organizations eliminated the leverage that encryption provided.

When companies have reliable, tested backups, encrypting their files becomes an inconvenience rather than an existential threat. They can restore from backup and resume operations without paying a ransom.

Criminals noticed. They adapted by eliminating the unnecessary step of encryption and focusing exclusively on the leverage that data theft provides. After all, you can't restore your way out of having your confidential data published on the internet.

How Exfiltration-Only Attacks Work

These attacks follow a different pattern than traditional ransomware:

  1. Attackers gain initial access through stolen credentials, software vulnerabilities, or social engineering
  2. They move through the network, identifying valuable data
  3. They exfiltrate sensitive information to servers they control
  4. They contact the victim with proof of theft and demand payment to prevent publication

There's no file encryption, no ransom note on the desktop, no obvious sign of compromise. The first indication of a problem may be when the extortion demand arrives.

The Cl0p Effect

No group has demonstrated the power of exfiltration-only attacks more effectively than Cl0p, tracked by researchers as Snakefly.

In 2023, Cl0p exploited a vulnerability in MOVEit file transfer software to steal data from hundreds of organizations in a matter of weeks. In 2024, they repeated the approach with Cleo file transfer products.

These campaigns showed that a single vulnerability in widely used enterprise software could yield massive returns without deploying ransomware at all. The data theft alone provided sufficient leverage for extortion.

Victims included government agencies, universities, healthcare systems, and Fortune 500 companies. Many had excellent backup systems that would have protected them from traditional encryption based ransomware.

Why These Attacks Are Harder to Detect

Traditional ransomware leaves obvious signs: encrypted files, ransom notes, disabled services. Exfiltration-only attacks can be nearly invisible.

Attackers increasingly use legitimate tools that blend with normal operations. They use Azure Copy to move data to Azure endpoints, which often doesn't trigger alerts because many organizations use Azure for backup and storage.

PowerShell, remote management software, and standard backup utilities appear in most attack chains. Malware deployment, when it happens at all, occurs late in the intrusion near the data theft stage.

As security researchers note, modern ransomware relies less on malware and more on abusing legitimate tools inside your environment. Detection systems trained to spot malware may miss these living off the land techniques entirely.

The Record Year

Despite major law enforcement actions against LockBit and the sudden shutdown of RansomHub, 2025 set records for ransomware activity.

Encryption based attacks remained steady at approximately 4,700 incidents. But when including exfiltration-only extortion, the total reached 6,182, representing a 23 percent increase over 2024.

Microsoft's 2025 threat report found that data exfiltration occurred in 80 percent of attacks, confirming that stealing data has become the primary objective regardless of whether encryption follows.

Akira and Qilin each captured 16 percent of claimed attacks, while Inc and Safepay followed at 6 percent each. DragonForce emerged as a new player accounting for 5 percent of claims.

Social Engineering Takes Center Stage

Exfiltration-only attacks increasingly rely on social engineering rather than technical exploitation.

Groups including ShinyHunters and Scattered Spider used phone-based impersonation and credential harvesting against cloud platforms. Attackers convinced employees to authorize malicious applications or share authentication codes while posing as IT support.

This approach reduces malware dependency. If you can convince someone to give you their credentials, you don't need to deploy malicious code that security tools might detect.

Once inside with valid credentials, attackers blend with normal user activity while they locate and exfiltrate sensitive data.

The Implications for Defense

The shift to exfiltration-only attacks invalidates some traditional ransomware defenses:

Backups are necessary but not sufficient: Reliable backups protect against encryption. They don't protect against having your data published.

Detection must focus on data movement: Organizations need visibility into large data transfers, unusual access patterns, and connections to unknown external destinations.

Identity security becomes critical: Many exfiltration attacks begin with stolen credentials. Strong authentication, especially phishing-resistant methods like hardware security keys, can prevent initial access.

Data classification matters: Understanding what data you have and where it lives allows better protection of your most sensitive information.

What 2026 Holds

Security researchers expect the trend toward exfiltration-only extortion to continue. Affiliate movements between ransomware services, shared access broker networks, and standardized tooling suggest the ecosystem will remain fluid and adaptive.

Predictions for 2026 include AI-assisted attacks that automate victim research and communication, expanded targeting of cloud and identity systems, and continued overlap between ransomware operations and traditional espionage campaigns.

Some analysts expect AI-driven extortion bots to engage victims directly in ransom negotiations, reducing the human labor required to operate large-scale extortion campaigns.

The era when ransomware meant encrypted files and recovery meant restoring from backup is ending. In its place, a more insidious threat: criminals who steal your data quietly, leaving no trace until the extortion demand arrives.