Shift in Data Extortion Tactics: A Decline in Ransomware Encryption
TL;DR
Recent research from Unit 42 indicates a significant reduction in the use of ransomware encryption to pressure victims for payments, as attackers increasingly favor direct data theft and extortion techniques. This trend highlights an emerging threat landscape shaped by evolving attacker tactics and regulatory environments.
Main Analysis
Unit 42 has observed a marked decline in the use of encryption in extortion-related incidents, with only 78% of cases involving encryption in 2025, down from levels surpassing 90% in previous years. Supporting this trend, Google reported a rise in data theft and extortion incidents from 2% in 2020 to 15% in 2025, while Resilience noted an increase in pure extortion incidents, particularly among mid-sized organizations. This shift may be attributed to enhanced recovery and backup capabilities, the growing maturity of endpoint defenses, and regulatory frameworks that impose stringent compliance requirements, thereby incentivizing organizations to pay extortion demands to avoid hefty penalties and reputational damage.
Prominent threat actors such as Bling Libra and Hazy Scorpius exemplify this transition, focusing on direct data theft rather than relying on ransomware. Specifically, organizations within Professional Services, Healthcare, and Consumer Services have become primary targets, with mid-sized businesses representing 64% of victims. Sectors like Construction, which have seen a 44% year-over-year increase in data-only extortion incidents, signify a shift in attacker focus, facilitated by the lucrative nature of the data they handle.
The current extortion landscape is heavily influenced by regulatory frameworks, which are leveraged by attackers to expedite negotiations with organizations under pressure. The urgency to comply with mandates such as the SEC’s disclosure requirements and GDPR’s reporting timelines accelerates the likelihood that organizations will acquiesce to extortion demands to mitigate potential financial repercussions.
Defensive Context
This evolving threat landscape primarily impacts organizations that manage sensitive data, particularly in highly regulated sectors. Mid-sized firms in industries such as Professional Services and Healthcare should be particularly vigilant given their significant representation among extortion targets. Conversely, smaller organizations with less sensitive operational data may not face the same level of risk.
Why This Matters
As extortion tactics evolve, defenders must recognize the amplified risk these new methods present. The regulatory pressures now in play empower attackers to exploit compliance timelines, creating a high-stakes environment for organizations that may face severe consequences for data breaches.
Defender Considerations
Monitoring for abnormal data egress activities and implementing data loss prevention controls are critical. Organizations should audit OAuth token grants and enforce stringent identity verification measures, especially for SaaS applications. Additionally, awareness of operations conducted by prominent extortion groups will aid in formulating targeted defenses.
Indicators of Compromise (IOCs)
No specific IOCs were mentioned in the article.
