Ethical Hacking News
The Rise of Pure Extortion: A New Era in Ransomware Attacks
In recent years, the landscape of ransomware attacks has undergone a significant shift. What was once a primary method of extortion, pure encryption-based ransomware is now being replaced by a new approach that focuses on stealing sensitive data and threatening to leak it publicly if victims refuse to pay.
This change in strategy has been attributed to several factors, including advancements in technology, changes in the way companies operate, and the increasing sophistication of attackers. As Pierluigi Paganini, a renowned cybersecurity expert, notes, "The new model is pure data extortion: steal it, threaten to publish it, monetise either through victim payment or, increasingly, direct resale on the data leak site. In May 2026 this isn’t an exotic experiment. It’s the default playbook."
Ransom payment rates have collapsed from roughly 76% in 2019 to just 28% in 2026, according to Kaspersky's State of Ransomware 2026 report. This decline can be attributed to several factors, including better backups, stricter cyber-insurance rules, regulatory pressure, and improved incident response.
Attackers are now focusing on stealing sensitive data, rather than encrypting systems. This approach allows them to avoid the operational problems associated with encryption, such as generating forensic evidence, triggering EDR alerts, and giving defenders time to react.
Recent incidents have highlighted this trend, including the ShinyHunters group's alleged theft of 3.65 TB of data from Instructure, which affected roughly 275 million students, teachers, and staff across approximately 9,000 educational institutions. Similarly, the Nitrogen gang targeted Foxconn's North American operations, reportedly exfiltrating nearly 8 TB of internal data.
This shift in strategy has significant implications for defenders. Traditional ransomware response plans focused heavily on restoring systems, recovering encrypted files, rebuilding infrastructure, and negotiating decryption keys. However, when attackers skip encryption entirely, those controls lose much of their value.
The economics have also changed. As Paganini notes, "When the leak site itself is the product, the victim’s negotiation position weakens dramatically." The most important strategic shift is the one with the least technical content. In the 2020 model, the data leak site was a coercion device: pay or we publish. In the 2026 model, the data leak site is the product.
Stolen datasets are increasingly monetized through resale to fraud groups, identity theft operations, and other criminal buyers, even if victims refuse to pay. This new approach has significant implications for businesses and individuals alike.
In conclusion, the rise of pure extortion represents a significant shift in the landscape of ransomware attacks. As attackers continue to adapt and evolve their tactics, it is essential for businesses and individuals to stay vigilant and take proactive measures to protect themselves against this new threat.
Ransomware attacks have shifted from pure encryption-based extortion to stealing sensitive data and threatening to leak it publicly. The new strategy has been attributed to advancements in technology, changes in company operations, and the increasing sophistication of attackers. Ransom payment rates have declined significantly, from 76% in 2019 to 28% in 2026, due to measures such as better backups and improved incident response. Attackers are now focusing on stealing sensitive data rather than encrypting systems, making it harder for defenders to neutralize the attack. The shift has significant implications for defenders, who must adapt their traditional ransomware response plans to focus on protecting against data breaches and reputational damage. Stolen datasets are increasingly monetized through resale to fraud groups, identity theft operations, and other criminal buyers, even if victims refuse to pay.
In recent years, the landscape of ransomware attacks has undergone a significant shift. What was once a primary method of extortion, pure encryption-based ransomware is now being replaced by a new approach that focuses on stealing sensitive data and threatening to leak it publicly if victims refuse to pay.
This change in strategy has been attributed to several factors, including advancements in technology, changes in the way companies operate, and the increasing sophistication of attackers. As Pierluigi Paganini, a renowned cybersecurity expert, notes, "The new model is pure data extortion: steal it, threaten to publish it, monetise either through victim payment or, increasingly, direct resale on the data leak site. In May 2026 this isn’t an exotic experiment. It’s the default playbook."
According to Kaspersky's State of Ransomware 2026 report, ransom payment rates have collapsed from roughly 76% in 2019 to just 28% in 2026. This decline can be attributed to several factors, including better backups, stricter cyber-insurance rules, regulatory pressure, and improved incident response. These measures have reduced the profitability of large-scale encryption campaigns.
Furthermore, attackers are now focusing on stealing sensitive data, rather than encrypting systems. This approach allows them to avoid the operational problems associated with encryption, such as generating forensic evidence, triggering EDR alerts, and giving defenders time to react. As Paganini states, "Extortion-only attacks are faster, quieter, and far harder for backup-and-restore strategies to neutralise. The data is already out the door before the victim notices."
Recent incidents have highlighted this trend. In May 2026, ShinyHunters claimed to have stolen around 3.65 TB of data from Instructure, the company behind Canvas LMS, which allegedly affected roughly 275 million students, teachers, and staff across approximately 9,000 educational institutions. Similarly, the Nitrogen gang targeted Foxconn's North American operations, reportedly exfiltrating nearly 8 TB of internal data, technical drawings, project documentation, and confidential manufacturing information.
These incidents demonstrate that attackers are now prioritizing credential theft, long-term access, and exfiltration over traditional ransomware deployment. The pressure point is changing too. Companies are no longer paying just to restore operations; they are paying to avoid reputational damage, regulatory fallout, and exposure of sensitive internal documents.
The shift in strategy has significant implications for defenders. Traditional ransomware response plans focused heavily on restoring systems, recovering encrypted files, rebuilding infrastructure, and negotiating decryption keys. However, when attackers skip encryption entirely, those controls lose much of their value. Organizations can restore systems quickly and still suffer a catastrophic breach because the stolen data already exists outside their control.
The economics have also changed. As Paganini notes, "When the leak site itself is the product, the victim’s negotiation position weakens dramatically." The most important strategic shift is the one with the least technical content. In the 2020 model, the data leak site was a coercion device: pay or we publish. In the 2026 model, the data leak site is the product. Operators have built downstream relationships with carders, identity-fraud rings, and (in some confirmed cases) sanctioned intelligence services that purchase exfiltrated datasets directly.
Stolen datasets are increasingly monetized through resale to fraud groups, identity theft operations, and other criminal buyers, even if victims refuse to pay. This new approach has significant implications for businesses and individuals alike. As Paganini concludes, "It would be easy to read the encryption-less shift as good news. After all, encryption was the part of ransomware that did the most operational damage to victims, locked systems, broken supply chains, halted hospitals. If operators stop encrypting, isn’t that a defensive win? Not exactly. The reduction in encryption is balanced by an increase in the scope and persistence of the data exposure."
In conclusion, the rise of pure extortion represents a significant shift in the landscape of ransomware attacks. As attackers continue to adapt and evolve their tactics, it is essential for businesses and individuals to stay vigilant and take proactive measures to protect themselves against this new threat.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Pure-Extortion-A-New-Era-in-Ransomware-Attacks-ehn.shtml
https://securityaffairs.com/192550/cyber-crime/why-pure-extortion-is-replacing-traditional-ransomware.html
Published: Sat May 23 09:33:33 2026 by llama3.2 3B Q4_K_M
