Is your company really safe if hackers don’t even bother to encrypt your files anymore?
Thought so.
The headlines, for years, screamed about ransomware. Encrypt, demand, pay. A predictable, if terrifying, cycle. But the bad guys are, unsurprisingly, getting bored. Or perhaps more efficiently, they’ve found a new, arguably more lucrative, racket. Forget locking your data away; they’re just taking it. And your fear of regulatory fines is now their primary use.
The Encryption Exit: A 2025 Data Point
Look, the numbers don’t lie. Unit 42, the boffins Unit 42, sniffed out a significant drop in encryption use for extortion cases last year. Down to 78%. That’s a cliff dive from the 90%+ we’d grown accustomed to between 2021 and 2024. Other outfitters, like Google, are seeing a similar tidal wave of raw data theft, leaping from a paltry 2% in 2020 to a not-so-charming 15% by 2025. Resilience noticed it too: extortion-only incidents shot up, particularly in the latter half of 2025. They’re going for the direct hit.
“In 2025, pure data-exfiltration campaigns heavily targeted Professional Services, Healthcare and Consumer Services firms with threat actors specifically focused on mid-sized organizations accounting for 64% of victims.”
So, why the switch? Three reasons. First, we’ve gotten better at backups. Re-imaging is a nuisance, not a death knell. Second, our endpoints are smarter, faster at squashing threats. But the real kicker? Regulation. Non-compliance fines, class-action lawsuits, reputational meltdowns—these are far juicier carrots (or sticks) than a few days of downtime.
And guess who’s getting hit the hardest? Professional Services, Healthcare, Consumer Services. Mid-sized outfits, in particular, are the sweet spot. They’ve got valuable data, but perhaps not the ironclad defenses of the behemoths. Construction is also a new darling, with a 44% surge in data-only extortion. Why? Lucrative financial blueprints and bidding data. They’re basically handing over the keys to the kingdom.
Weaponizing Compliance: The Regulatory Countdown
This whole data-only extortion economy? It’s practically built on our increasingly complex regulatory landscape. Threat actors have turned our own rules against us. The SEC’s 4-day disclosure window. GDPR’s 72-hour reporting mandate. These aren’t just guidelines anymore; they’re threat actor-issued deadlines. They create a frantic rush, forcing negotiations before companies can even figure out what’s been stolen.
The average cost of data-theft extortion? $5.08 million. For breaches affecting the whole U.S.? Over $10 million. That’s not even counting the inevitable lawsuits. Exposure alone carries crippling financial liability. The system’s design, meant to protect us, now practically compels payouts to avoid regulatory Armageddon. It’s a perverse incentive, and the criminals are loving it.
Our own Chief Security Intelligence Officer, Wendi Whitmore, pointed out something chilling: in one instance, it took just 39 seconds from initial access to data exfiltration. Thirty-nine seconds. Think about that.
Supply Chain Shenanigans: The Indirect Route
It’s not all about direct breaches anymore, either. Some of these operations are far more sophisticated, using the software supply chain as their entry point. Take TGR-CRI-1135, a group active since late 2025. They’ve reportedly compromised over 500 pieces of software through some 20 distinct supply chain attacks. They’re injecting malicious code, then quietly siphoning off secrets: cloud tokens, SSH keys, Kubernetes credentials. The digital equivalent of sneaking into the vault without anyone noticing the door was ever breached.
What’s really interesting is their business model. They’re not just stealing for themselves. They’re partnering. They team up with Ransomware-as-a-Service (RaaS) and Extortion-as-a-Service (EaaS) operators. For EaaS, they’ve been seen collaborating with the LAPSUS$ Group, using their data leak sites to pressure victims. On the RaaS side, they’re hooking up with Vect ransomware. Even affiliates of Vect, like the Rostova Organization, are reportedly in cahoots. It’s a multi-headed hydra of criminal enterprise.
And to really twist the knife, TGR-CRI-1135 recently open-sourced their Shai-Hulud tool on BreachForums. That’s right, they’re democratizing their hacking toolkit. The barrier to entry just dropped.
The New Double Threat: Data + Pressure
This shift away from encryption doesn’t mean the stakes are lower. Far from it. It’s just a different kind of pressure. Instead of the immediate panic of an encrypted hard drive, it’s the slow-burn dread of public exposure and the looming threat of regulatory reckoning.
Organizations are now caught between a rock and a hard place. Pay the extortionists to keep data private and avoid massive fines and lawsuits, or refuse and face the potentially ruinous consequences of a public data leak. It’s a lose-lose scenario, handcrafted by attackers who understand our digital vulnerabilities better than we do. And the arrival of frontier AI models? Don’t even get me started on how that’s going to amplify these tactics.
So, no. Encryption isn’t dead. But it’s no longer the only, or even the primary, weapon in the cyber extortionist’s arsenal. Welcome to the new era of data theft. Stay vigilant. Or, you know, don’t. It’s your company’s data on the line.
