Table of Contents
Ransomware has evolved beyond simple encryption and data theft. Today’s attackers are refining their tactics by launching data theft attacks and extortion campaigns without encryption, wiping backups, and deploying additional malware. In many cases, they’re also directly harassing and threatening employees, shareholders, and customers. To stay ahead, organizations must evolve their detection and defense strategies.
Understanding Extortion Without Encryption
Traditionally, attackers deployed malware to encrypt files and demanded payment for decryption. More recently, their tactics have shifted toward data theft and immediate extortion, threatening to publish stolen information if victims refuse to pay.
From Ransomware to Extortion Campaigns
In traditional encryption-based ransomware attacks, attackers infected systems with malware that encrypted victims’ files. Then, they demanded payment in exchange for the decryption key. The data was locked but not exfiltrated. This meant that once those affected restored data from backups or obtained a decryptor key, their data’s confidentiality wasn’t necessarily compromised.
More recently, extortion without encryption campaigns have become more popular. In this model, attackers often directly steal sensitive information and threaten to publish it if the ransom isn’t paid. In many cases, they add new pressure layers, such as threatening to contact customers and the media to force victims to pay.
Why Attackers Skip Encryption
It takes time and expertise to develop ransomware that can bypass antivirus and EDR defenses, while advances in backup and recovery have made encryption far less profitable for attackers. Many organizations have also invested in stronger detection and response capabilities, which increase the likelihood of failure.
As a result of this, many modern ransomware groups use ransomware-as-a-service (RaaS) which involves leasing ransomware that is developed and maintained by other groups. Other groups skip encryption entirely and go straight for data exfiltration. This means they can operate faster, resulting in more profit.
The Rise of Double and Triple Extortion Ransomware
Many attackers are now using layered extortion tactics to maximize their leverage against victims and increase their chances of getting paid.
Double Extortion Ransomware Explained
In a double extortion ransomware attack, threat actors steal victims’ sensitive data whilebefore encrypting their files. This means they can raise the stakes when demanding ransom. In addition to paying to get their data decrypted, those affected must pay to stop attackers from leaking their stolen information.
This tactic significantly increases pressure on victims. Even if they can restore their systems from backups, the fear of data exposure is significant as it can lead to reputational damage and regulatory consequences. This often pushes them to negotiate or pay.
Triple Extortion Attacks
In a triple extortion attack, attackers go beyond encrypting and stealing data. Once they have demanded payment to stop a data leak, they ramp up their threats. This often involves contacting customers, business partners, or regulators to warn them that their information will be exposed.
This tactic puts pressure on the victim by creating public embarrassment and customer panic, as well as potential legal consequences. The goal is to expedite the ransom payment.
Harassment and Reputational Damage
Increasingly, attackers are targeting executives, customers, partners, and the media to put more pressure on their victims. This can include writing threatening letters or making calls to leadership, and letting third parties know that their data has been stolen.
In some cases, threat actors make more noise by publishing partial leaks or contacting journalists.
A recent example of this is the recent threats against Salesforce by the ShinyHunters group in October. The group claimed to have stolen 1 billion records from Salesforce customer databases, and announced that they would publish data publicly if their demands were not met.
In all of these cases, the attackers’ goal is to turn a breach into a reputational and legal crisis, ultimately forcing victims to pay the ransom more quickly.
Business and Security Implications of Data Theft Attacks
Extortion without encryption and data-theft attacks extend the threat beyond IT. As well as exposing organizations to financial losses and regulatory penalties, they can cause severe reputational damage that takes years to recover from.
Regulatory and Legal Exposure
Data breaches can trigger compliance violations under laws like GDPR, HIPAA, and other data-protection regulations. Breaching these regulations and exposing sensitive information can result in fines and legal penalties for organizations.
Operational and Financial Impact
Data theft attacks can quickly disrupt operations and lead to significant downtime costs. They also erode trust, which leads to customer churn. When combined with potential litigation and regulatory fines, these attacks can cause substantial financial and operational burdens.
Brand Trust and Reputational Fallout
Successful data theft attacks can significantly undermine public confidence in an organization’s ability to protect information. Stakeholders may lose trust, and negative media coverage can result in long-term reputational damage. Even temporary exposure of data can have lasting effects on brand perception and market credibility.
Defending Against Post-Ransomware Threats
Now that attackers no longer rely on encryption as their primary weapon, managed detection and response (MDR) and proactive defense strategies must adapt.
Detecting Data Exfiltration
Extortion without encryption typically involves silent data exfiltration. Once attackers gain entry, they focus on high-value information and exfiltrate it gradually, often disguising it as normal network traffic.
To identify these unusual transfers, organizations should invest in security solutions like network monitoring, data loss prevention (DLP), and anomaly detection. Regular monitoring can help identify newly installed applications like Rclone, which attackers often use to exfiltrate stolen data. It can also help detect outbound traffic to sites like mega.io or other cloud backup providers.
Improving Response Time
Speed is crucial for mitigating harm in data theft attacks. As soon as an account or system is compromised, security teams should take immediate action to contain the threat as quickly as possible. Real-time visibility into network and user activity can make it easier to detect suspicious behavior and prevent further data exfiltration.
Acting quickly can significantly reduce the operational and financial impact of threats. Integrating automated alerts and incident response workflows can also help teams to act decisively under pressure.
Preparing for the Next Phase of Ransomware
Organizations can build resilience and reduce the chance of successful silent exfiltration through continuous monitoring and rehearsing incident response. This helps anticipate attacks and safeguards sensitive data.
Continuous Threat Intelligence
Security teams can maintain continuous threat intelligence by monitoring the dark web and staying updated on leak sites. This helps uncover emerging attack trends, enabling them to anticipate new extortion tactics that bypass encryption.
Organizations should also monitor leak sites and other common exfiltration paths to look for evidence of their own data being leaked. In the event that the initial attack was missed, this can be an indicator of compromise.
Building a Culture of Preparedness
Creating a culture of preparedness is essential for dealing with post-ransomware threats. For instance, conducting regular tabletop exercises can help teams practice responding to data theft attacks in a controlled setting. This helps clarify roles and responsibilities and identify gaps in your strategy.
Executive involvement is also essential for embedding cybersecurity into your organization’s culture. It highlights security as a strategic priority and drives accountability, ensuring a more coordinated response when incidents occur.
Adapting to Extortion Without Encryption
Ransomware isn’t disappearing; it’s just changing. The rise in extortion without encryption means that organizations will need to rethink their defenses. This will involve prioritizing early detection, rapid response, data loss prevention, and strong collaboration across IT, legal, and executive teams to contain threats and reduce impact. Success will depend on adapting as quickly as the attackers do.