How Data Extortion Works—and Why It Replaced Ransomware
Data extortion attacks skip encryption entirely, stealing sensitive files and threatening to publish them unless victims pay. With an elevenfold surge in incidents, this tactic is rapidly overtaking traditional ransomware.
A New Breed of Cyber Threat
For years, ransomware dominated the cybercrime landscape: attackers would encrypt a victim's files, then demand payment for the decryption key. But a quieter, more efficient tactic has overtaken it. In data extortion, criminals skip encryption altogether. They steal sensitive files—trade secrets, employee records, customer databases, internal emails—and threaten to publish or sell them unless the victim pays up.
The shift is dramatic. According to Arctic Wolf's 2025 Threat Report, data-only extortion incidents surged elevenfold year over year, jumping from 2% to 22% of all incident response engagements. Groups like ShinyHunters, Silent Ransom, and the newly formed PEAR now focus exclusively on stealing data rather than locking systems.
How the Attack Unfolds
A typical data extortion attack follows a recognizable pattern. First, attackers gain initial access—often through social engineering. ShinyHunters, for instance, is known for voice-phishing campaigns in which operatives impersonate IT support staff and trick employees into granting access to single sign-on platforms like Okta or Salesforce.
Once inside, the attackers move laterally through cloud environments, targeting high-privilege engineering accounts, Git repositories, CI/CD pipelines, and cloud storage buckets. They quietly exfiltrate hundreds of gigabytes of data—emails, contracts, credentials, database dumps—before the victim even detects the intrusion.
Then comes the extortion message. Victims receive a demand specifying the stolen data, a ransom amount (often exceeding $1 million for large organizations), a cryptocurrency wallet address, and a deadline—typically 72 hours. If the victim refuses, the attackers publish the data on dark-web leak sites or sell it to competitors and other criminals.
Why Attackers Prefer It Over Ransomware
The shift away from encryption-based ransomware is driven by cold economics. Encrypting an entire network requires deploying complex malware, maintaining decryption infrastructure, and risking detection by endpoint security tools. Data exfiltration, by contrast, is faster, cheaper, and harder to stop.
Organizations have also gotten better at recovering from encryption attacks. Robust backup strategies and incident response plans mean many victims can restore systems without paying. But stolen data cannot be "unstolen." Once customer records or trade secrets are in an attacker's hands, no backup can undo the damage. As BlackFog's research notes, this makes the leverage far more persistent.
The numbers confirm this trend. VikingCloud reports that ransomware was present in 44% of breaches in 2025, up from 32%, but a growing share of those incidents involved extortion without encryption—doubling from 3% to 6% in a single year.
Who Is at Risk
Data extortion targets span every sector. Healthcare organizations face exposure of patient records. Financial firms risk leaking transaction data. Technology companies can lose proprietary source code. Even government institutions are vulnerable—the European Commission confirmed in March 2026 that ShinyHunters exfiltrated over 350 GB of data from its Europa.eu cloud infrastructure, including email archives and internal credentials.
Small and mid-sized businesses are especially exposed. They often lack dedicated security teams, making them softer targets with fewer resources to detect intrusions early.
How Organizations Defend Against It
Because data extortion bypasses traditional anti-ransomware defenses, protection requires a different mindset. CISA recommends several core strategies:
- Zero-trust architecture—assume no user or device is trustworthy by default and enforce least-privilege access across all systems.
- Data loss prevention (DLP)—deploy inline tools that monitor and block unusual data transfers before exfiltration occurs.
- Network segmentation—limit lateral movement so a single compromised account cannot reach the entire data estate.
- Employee training—since social engineering remains the top entry point, regular phishing awareness programs are critical.
- Incident response planning—maintain and rehearse a response playbook that specifically addresses data theft scenarios, not just encryption.
The Bigger Picture
Data extortion represents a fundamental evolution in cybercrime. It exploits the one thing organizations cannot reverse: the exposure of information. As cloud adoption accelerates and companies store ever more sensitive data online, the attack surface grows. Security experts warn that until organizations treat data theft as seriously as system lockouts, extortion groups will continue to thrive.
