Hackers Ditch Encryption, Focus on Data Theft and Extortion
▼ Summary
– Cybercriminals are increasingly using “extortion-only” attacks that rely solely on data theft and threats of publication, rather than deploying encryption-based ransomware.
– The number of these encryptionless attacks grew dramatically, from 28 incidents in 2024 to nearly 1500 in 2025, while traditional ransomware attacks remained stable.
– These campaigns commonly exploit unpatched zero-day vulnerabilities and software supply chain weaknesses, as seen in attacks by groups like ShinyHunters.
– This shift broadens the cybersecurity threat landscape, forcing organizations to also focus on securing their software supply chains and third-party applications.
– Recommended defenses include applying all security updates, enforcing strong credential hygiene with MFA, and auditing third-party software and extensions.
A notable shift in cybercriminal tactics is seeing a dramatic rise in extortion schemes that bypass encryption entirely. Instead of deploying ransomware to lock files, attackers are now focusing purely on stealing sensitive data and threatening to release it unless a ransom is paid. This evolution presents a distinct challenge for organizations, as traditional defenses geared towards stopping encryption may not prevent a catastrophic data breach. New research highlights a “significant jump” in these encryptionless attacks, with incidents soaring from just 28 in 2024 to nearly 1500 in 2025.
This trend represents a fundamental change in the cyber threat landscape. While conventional ransomware attacks remain consistently high, the explosive growth of extortion-only campaigns indicates criminals are finding data theft to be a simpler and equally profitable method. These groups infiltrate networks, exfiltrate information, and then directly contact victims with threats of public exposure, creating immense pressure to pay without any systems being technically disrupted.
The most common entry points for these campaigns are the exploitation of unpatched software vulnerabilities and weaknesses within the software supply chain. Attackers aggressively target zero-day flaws and insecure third-party integrations to gain an initial foothold. A prominent example involved the ShinyHunters gang, which in 2025 conducted a global campaign targeting companies like Allianz and Qantas. They used social engineering and voice phishing to compromise credentials for Salesforce portals, then moved laterally to steal user data for extortion.
Other threat actors, such as Scattered Spider, have also increasingly adopted this model, though some continue to blend it with traditional ransomware deployments. Researchers specifically noted the exploitation of vulnerabilities like CVE-2025-61882 in Oracle E-Business Suites, which allowed unauthenticated remote code execution and was leveraged in encryptionless extortion campaigns.
This broadening of attack methods forces enterprises to defend against a wider array of threats. Organizations must now secure not only their core networks but also scrutinize every link in their software supply chain, where a single weak third-party add-on can become a gateway for massive data theft.
To mitigate this risk, experts recommend a proactive and layered security approach. Auditing all organizational software and applying security updates without delay is a critical first step. Equally important is enforcing strong credential hygiene, including the routine use of multi-factor authentication (MFA) to protect access points. Special attention must be paid to the software supply chain, particularly third-party extensions that have access to critical enterprise applications. By strengthening these areas, businesses can build resilience against both encryption-based and encryptionless extortion threats.
(Source: InfoSecurity Magazine)
