Beyond encryption: Ransomware now threatens to leak stolen data
Beyond encryption: Ransomware now threatens to leak stolen data
Publish Date: 2026-06-22 01:05:00
Source Domain: www.escudodigital.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Criminal groups continue to use ransomware, there is no doubt about that. But they are increasingly betting on a strategy based on data theft and the threat of making it public if the victim does not comply with their demands.
And many companies have improved their disaster recovery capabilities and have backups that allow systems to be restored in relatively short times.
As a consequence, criminals are seeking new pressure formulas that generate greater financial, legal, and reputational impact.
Data-based extortion gains prominence
According to the 2026 Global Incident Response Report, prepared by Unit 42, the threat intelligence unit of Palo Alto Networks, extortion incidents that included system encryption fell to 78% during 2025.
This figure represents a change compared to the previous four years, when this percentage usually exceeded 90%.
The data reflects a trend: attackers understand that confidential information has enormous strategic value.
The publication of internal documents, customer data, financial information, or intellectual property can cause much more severe consequences than a simple temporary interruption of activity.
In many cases, the objective is no longer to prevent the organization from working but to threaten to expose sensitive information to customers, partners, regulators, or competitors.
Actors specialized in information theft
Unit 42 has identified several criminal groups that have evolved from traditional ransomware models to schemes focused almost exclusively on data exfiltration and extortion.
Among them is Bling Libra, also known as ShinyHunters, an actor specialized in compromising software as a service (SaaS) applications.
Also included is Hazy Scorpius, known as CLOP, responsible for campaigns that have exploited critical vulnerabilities in enterprise platforms like Oracle EBS.
These groups have demonstrated that obtaining large volumes of information can become an extremely effective pressure tool without the need to deploy complex encryption processes.
Artificial intelligence accelerates attacks
The growing incorporation of artificial intelligence in cybercrime operations is contributing to increasing the speed and effectiveness of attacks.
Criminals can automate reconnaissance tasks, locate vulnerabilities more quickly, and optimize intrusion campaigns.
One of the most striking data collected by Unit 42 is that some attackers are capable of going from initial access to a corporate network to complete information theft in just 72 minutes.
This drastic reduction in response times makes it difficult for organizations to respond and forces the reinforcement of early detection mechanisms.
Four factors explain the change in strategy
The reduction in the use of encryption is due to several elements that are modifying the balance between attackers and defenders.
On one hand, companies have significantly improved their backup and recovery systems, which limits the effectiveness of file hijacking as a pressure mechanism.
There is also greater maturity in endpoint protection solutions and automated tools capable of interrupting attacks before they reach their objectives.
This is compounded by the speed with which criminals can extract critical information and the growing regulatory pressure existing in numerous markets.
Sanctions for regulatory non-compliance, potential legal claims, and reputational damage resulting from a massive leak can generate economic consequences of enormous magnitude.
Sectors most affected by this trend
Campaigns focused exclusively on information theft particularly affected professional services companies, healthcare organizations, and consumer-oriented companies during 2025.
Medium-sized companies accounted for 64% of the incidents analyzed, demonstrating that attackers do not only target large corporations. Many medium-sized organizations manage valuable information but have more limited resources to protect themselves.
Although the manufacturing industry continues to be one of the sectors most affected by cybercrime, the construction sector recorded a 44% year-on-year increase in this type of attack. Criminals find documents related to bids, contracts, financial forecasts, and strategic projects particularly attractive.
Strengthening data protection as a priority
The economic impact of these operations is considerable. The average cost associated with extortion incidents based on information theft already reaches 5.08 million dollars, while large-scale breaches can exceed 10 million dollars.
In this scenario, organizations are forced to expand their security strategy beyond protection against traditional ransomware. Reviewing access to SaaS applications, implementing phishing-resistant authentication systems, continuous monitoring of potential leaks, and accelerating incident response processes have become essential measures.
Criminal groups continue to use ransomware, there is no doubt about that. But they are increasingly betting on a strategy based on data theft and the threat of making it public if the victim does not comply with their demands.
And many companies have improved their disaster recovery capabilities and have backups that allow systems to be restored in relatively short times.
As a consequence, criminals are seeking new pressure formulas that generate greater financial, legal, and reputational impact.
Data-based extortion gains prominence
According to the 2026 Global Incident Response Report, prepared by Unit 42, the threat intelligence unit of Palo Alto Networks, extortion incidents that included system encryption fell to 78% during 2025.
This figure represents a change compared to the previous four years, when this percentage usually exceeded 90%.
The data reflects a trend: attackers understand that confidential information has enormous strategic value.
The publication of internal documents, customer data, financial information, or intellectual property can cause much more severe consequences than a simple temporary interruption of activity.
In many cases, the objective is no longer to prevent the organization from working but to threaten to expose sensitive information to customers, partners, regulators, or competitors.
Actors specialized in information theft
Unit 42 has identified several criminal groups that have evolved from traditional ransomware models to schemes focused almost exclusively on data exfiltration and extortion.
Among them is Bling Libra, also known as ShinyHunters, an actor specialized in compromising software as a service (SaaS) applications.
Also included is Hazy Scorpius, known as CLOP, responsible for campaigns that have exploited critical vulnerabilities in enterprise platforms like Oracle EBS.
These groups have demonstrated that obtaining large volumes of information can become an extremely effective pressure tool without the need to deploy complex encryption processes.
Artificial intelligence accelerates attacks
The growing incorporation of artificial intelligence in cybercrime operations is contributing to increasing the speed and effectiveness of attacks.
Criminals can automate reconnaissance tasks, locate vulnerabilities more quickly, and optimize intrusion campaigns.
One of the most striking data collected by Unit 42 is that some attackers are capable of going from initial access to a corporate network to complete information theft in just 72 minutes.
This drastic reduction in response times makes it difficult for organizations to respond and forces the reinforcement of early detection mechanisms.
Four factors explain the change in strategy
The reduction in the use of encryption is due to several elements that are modifying the balance between attackers and defenders.
On one hand, companies have significantly improved their backup and recovery systems, which limits the effectiveness of file hijacking as a pressure mechanism.
There is also greater maturity in endpoint protection solutions and automated tools capable of interrupting attacks before they reach their objectives.
This is compounded by the speed with which criminals can extract critical information and the growing regulatory pressure existing in numerous markets.
Sanctions for regulatory non-compliance, potential legal claims, and reputational damage resulting from a massive leak can generate economic consequences of enormous magnitude.
Sectors most affected by this trend
Campaigns focused exclusively on information theft particularly affected professional services companies, healthcare organizations, and consumer-oriented companies during 2025.
Medium-sized companies accounted for 64% of the incidents analyzed, demonstrating that attackers do not only target large corporations. Many medium-sized organizations manage valuable information but have more limited resources to protect themselves.
Although the manufacturing industry continues to be one of the sectors most affected by cybercrime, the construction sector recorded a 44% year-on-year increase in this type of attack. Criminals find documents related to bids, contracts, financial forecasts, and strategic projects particularly attractive.
Strengthening data protection as a priority
The economic impact of these operations is considerable. The average cost associated with extortion incidents based on information theft already reaches 5.08 million dollars, while large-scale breaches can exceed 10 million dollars.
In this scenario, organizations are forced to expand their security strategy beyond protection against traditional ransomware. Reviewing access to SaaS applications, implementing phishing-resistant authentication systems, continuous monitoring of potential leaks, and accelerating incident response processes have become essential measures.
Become a premium member for free!
