Hackers Increasingly Shun Encryption in Favour of Pure Data Theft and Extortion

The ransomware landscape is evolving as threat actors pivot from encrypting victims’ files to stealing data outright. This shift is reflected in Symantec and Carbon Black’s latest research, which shows encryption‑less extortion incidents exploding to roughly 1,500 last year—a stark contrast to the modest rise in classic ransomware. By sidestepping encryption, attackers avoid the technical hurdles of payload delivery and focus on high‑value data exfiltration, making extortion threats harder to detect with traditional anti‑ransomware tools.

Key to these campaigns are unpatched zero‑day vulnerabilities and weak points in software supply chains. The ShinyHunters gang, for example, leveraged social engineering and voice‑phishing to compromise Salesforce credentials, then moved laterally to harvest user data across multinational firms. Similarly, the Scattered Spider group combined traditional ransomware with data‑theft tactics, exploiting CVE‑2025‑61882 in Oracle E‑Business Suites to gain unauthenticated remote code execution. Such vectors highlight the growing importance of securing third‑party add‑ons and continuous vulnerability management.

Mitigation now requires a multi‑layered approach: rigorous software‑inventory audits, prompt patching of known and emerging flaws, and robust credential hygiene, including mandatory multi‑factor authentication. Organizations must also monitor their supply‑chain ecosystem, scrutinizing third‑party components that could serve as footholds for attackers. As extortion‑only attacks become mainstream, enterprises that expand their defensive posture beyond endpoint encryption will be better positioned to protect sensitive data and avoid costly public disclosures.