Encryption is becoming optional for ransomware groups. A growing number now skip the file-locking malware entirely, steal data, and threaten to publish or sell it unless the victim pays. The security firm Arctic Wolf describes the change as a move from encryption-based extortion to exfiltration-led extortion, with encryption demoted to a secondary tactic where it is used at all.
The clearest articulation of the model comes from a report by the Ransomnews Research Team, summarised by Security Affairs: steal the data, threaten to publish it, and monetise it either through a victim payment or, increasingly, direct resale on a data-leak site. The report calls this the default playbook as of May 2026. That phrasing is a vendor’s, and the claim that pure extortion has become the norm rather than one tactic among several should be read as an estimate, not a measured share of attacks.
BianLian Stopped Encrypting Altogether
The trend has a concrete example. Dark Reading reported that the BianLian group dropped encryption in favour of pure data-theft extortion, stealing files and demanding payment to keep them private without ever locking a system. The pivot matters because BianLian is an established operator, not a fringe crew testing an idea, and its move signals that the economics now favour theft over disruption.
Why Attackers Walked Away From Encryption
The reasons are practical. The UK’s National Cyber Security Centre has written that cybercriminals adopt whichever technology or business model lets them exploit victims best, and that the threat will keep adapting as actors chase profit. Better backups and stronger endpoint defences made the old encrypt-and-demand model less reliable, because a victim with clean offline backups can restore systems and refuse to pay.
Stealing the data removes that escape route. Analyst1 argues the shift toward exfiltration-only operations also shortens the time to ransom and lowers the attacker’s operational risk, since pushing encryption across an entire environment is noisy and raises the chance of being caught mid-attack. According to the Security Affairs summary, attackers now often disable security systems before exfiltrating data, which fits a model built around staying quiet rather than causing visible damage.
Your Backups Will Not Save You From This
This is the part defenders need to absorb. The standard ransomware advice keep tested offline backups was built for a threat that destroys access to data. It does almost nothing against a threat that copies data and threatens to publish it. Backups still matter for recovery, but they are no longer the deciding factor in whether a victim pays.
The defensive priority moves to reducing what can be stolen and catching theft while it happens. Monitor for unusual outbound data transfers, segment networks so a single compromised account cannot reach everything, and restrict the services and protocols that widen the attack surface. Run regular security audits and penetration tests against exfiltration paths specifically, not just against the initial intrusion. Treat any large or irregular data egress as an incident until proven otherwise.
References
- Why Pure Extortion Is Replacing Traditional Ransomware
- The Changing Landscape of Cyber Extortion
- Ransomware & Extortion Activity
- BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion
- Ransomware, Extortion and the Cyber Crime Ecosystem
This post is also available in:
Svenska
Related News
Trigona Ransomware Builds Custom Data Theft Tool to Evade Security
Trigona ransomware affiliates have abandoned off-the-shelf data exfiltration tools in favour of custom-built malware that steals files faster and evades security detection. The move marks…
April 27, 2026 Automotive Data Giant Autovista Confirms Ransomware Attack Disrupts European Operations
Autovista, a London-based automotive data and analytics firm, confirmed this week that a ransomware attack has disrupted its systems across Europe and Australia. The company,…
April 17, 2026