Threat actors are adapting their tactics by expanding into encryptionless extortion focused on data theft, credential abuse, and public pressure. Encryption remains a powerful and frequently-used tactic, but it now exists alongside other methods, which in many cases are quieter and faster. Together, these trends show that modern extortion operates as an adaptive financial crime ecosystem where multiple models coexist.
Ransomware is not going anywhere, but it is becoming more selective and adaptive. As defenders have improved their ability to detect malware, shorten dwell time, and recover from disruption, threat actors have been forced to adapt. The result is not the disappearance of ransomware, but the evolution of extortion, driven by speed, stealth, and monetization rather than technical spectacle.
Modern ransomware groups more often resemble organized financial crime operations. They alter techniques not always to showcase innovation, but to remain profitable in environments where endpoint detection, improved backups, and faster response times have reduced the reliability of encryption‑only attacks. When defenders get better, threat actors adapt. Data theft, credential abuse, and low‑noise access achieve comparable results, but without the operational risk of deploying malware that defenders are now better equipped to detect. This shift has driven the rise of encryptionless extortion, where access itself becomes the product and stolen data the bargaining chip. At the same time, traditional ransomware remains very much alive. These approaches are not in competition; they coexist within the same economic system, selected based on the defenses encountered and the fastest path to payment.
Who has driven the move to encryptionless?
Ransomware activity reached record levels in 2025, with 4,737 reported attacks, slightly surpassing 2024, despite the downtime of two major RaaS operations, LockBit (Syrphid) and RansomHub (Greenbottle). Their police-enforced downtime reshaped the ecosystem, enabling groups such as Akira and Qilin to record 16% each of all claimed attacks, while INC Ransom, Safepay, and DragonForce expanded their footprint. Alongside this shift, extortion-only attacks surged: Broadcom recorded 6,182 such incidents in 2025, a 23% annual increase, reflecting the move away from endpoint encryption toward pure data theft and coercion.
The move to encryptionless ransomware was led by groups such as Cl0p (operated by Snakefly), which appears to have abandoned traditional encryption in favor of exploiting enterprise software vulnerabilities at scale to steal data and extort victims. After high impact breaches in 2020 and 2021 involving Accellion FTA, Cl0p utilized this model throughout 2023, using a zero day vulnerability in Fortra’s GoAnywhere MFT to compromise 130 organizations and utilizing critical zero days such as the MOVEit Transfer SQL injection vulnerability (CVE-2023-34362), enabling widespread data theft that may have gained the group up to $100 million. By late 2025, Cl0p was linked to extortion operations exploiting a new Oracle E Business Suite zero day vulnerability (CVE-2025-61882), with evidence suggesting that threat actors had access to the exploit months before disclosure, using a tool leaked by a separate threat group known as Scattered LAPSUS$ Hunters.

This threat group is believed to be an alliance of Scattered Spider, ShinyHunters, and LAPSUS$ and emerged in August 2025, having since marketed itself as an extortion as a service (EaaS) entity. Operating largely through Telegram, it has launched at least 16 channels, promoted its notoriety as leverage against victims, and hinted at developing a custom ransomware family dubbed Sh1nySp1d3r, though its primary focus remains extortion and data theft. The most active of the three, ShinyHunters has claimed responsibility for several large data thefts in 2025 and 2026, notably for targeting Salesforce instances of major companies such as Google, Cisco, Chanel, Qantas, and many others. They primarily use vishing tactics to socially engineer employees into authorizing malicious OAuth applications. By persuading targets to connect an attacker-controlled data loader to corporate Salesforce environments, the group demonstrated how credential theft and abuse of legitimate cloud features have become central to the new era of encryptionless ransomware.
Why is encryptionless on the rise?
A major factor behind the rise of encryptionless extortion is that modern ransomware attack chains are now frequently disrupted before encryption can occur, forcing adversaries to adapt their attack business models. Researchers report that better cyber security controls, improved backup strategies, and stronger recovery capabilities have sharply reduced threat actors’ ability to profit from encryption-based attacks. At Asceris, we have encountered several instances of the threat actor being stopped before they had the chance to deploy their ransomware.
Encryptionless attacks are often enabled through zero‑day exploitation and supply‑chain compromises, which give adversaries immediate access to sensitive data without needing to persist long enough to deploy ransomware. Threat actors are increasingly exploiting zero day vulnerabilities or software supply chain weaknesses to steal data from even well defended environments before defenders notice anything is wrong, notably as soon as or prior to the vulnerability becoming public knowledge or patched. This mirrors earlier patterns observed with Snakefly (Cl0p), whose MOVEit, GoAnywhere, and Oracle E Business Suite campaigns demonstrated how a single exploited vulnerability can result in mass data theft and subsequent extortion with no encryption required.

Extortion operations have also evolved beyond the binary choice of encrypting files or stealing data. Researchers also now describe a widening “extortion spectrum,” where threat actors combine multiple pressure tactics depending on the foothold they achieve inside a target environment. These tactics include credential abuse, partial data leaks, harassment of employees, targeted outreach to customers or regulators, and timed releases of stolen data across leak sites. Some campaigns rely entirely on social engineering and data exposure, while others retain a hybrid model that blends data theft with selective encryption to maximize leverage. This diversification shows that modern cyber extortion is no longer tied to malware deployment but instead revolves around whichever tactic most efficiently generates payment pressure.
Another factor accelerating the rise of encryptionless attacks is the increasing reliance on living‑off‑the‑land (LOTL) techniques. A growing percentage of extortion campaigns use legitimate IT and Remote Monitoring and Management (RMM) tools (PowerShell, PsExec, OS built-in utilities, AnyConnect, Splashtop, etc.), to conduct lateral movement and data harvesting in order to blend in with normal IT activity. Because these tools are often already present in most enterprise environments, their use rarely triggers traditional malware‑based detection mechanisms. This allows threat actors to quietly stage data, escalate privileges, and prepare exfiltration paths without deploying code that security products would normally flag. For defenders, this shift means there is no single “ransomware moment” to alert them to compromise, making extortion‑only intrusions significantly more challenging to detect.
An increasingly common approach
Asceris analysts have observed several cases of extortion‑only intrusions, where no ransomware payload was ever deployed. In one investigation, a victim was unaware they had been targeted by the threat group SafePay because the threat actor never used malware nor triggered any encryption event. Instead, the victim was notified by officials that their data was available on the SafePay dark web leak site for download. During the investigation, our team uncovered a long‑running compromise in which the threat actor gained access through a VPN using stolen credentials, moved laterally across internal systems, and escalated privileges using Kerberoasting. Once inside, the actor relied almost entirely on legitimate administrative tools to blend in with normal activity. They installed remote management software, conducted network reconnaissance, and prepared large multi‑part archives of data for potential exfiltration using tools such as WinRAR and PuTTY. But despite the scope of their access, the threat actor never attempted to encrypt files, dropped no ransomware payload, and left behind no ransom note. Their objective was purely data‑centric: obtain access, harvest information, and quietly stage it for theft. This case illustrates how modern extortion operations can unfold without any of the traditional hallmarks of a ransomware attack, making them significantly harder to detect. Without the unmistakable signal of encryption, organizations may remain unaware of a breach until long after sensitive data has been accessed, aggregated, and exfiltrated.
Looking ahead
The evolution of encryptionless attacks does not mean traditional ransomware is going away. When encryption is successfully executed, the operational disruption it causes creates an intense pressure capable of driving victims toward payment more than data theft extortion alone. The ability to halt production lines, disable hospitals, or freeze critical infrastructure remains a powerful bargaining chip. Research indicates that ransomware itself is not declining: ThreatLabz observed a 145.9% annual increase in ransomware attacks blocked across their cloud in 2025, alongside a 70% spike in public extortion cases posted to leak sites. Analysts also identified at least 34 new ransomware families emerging during this period, many filling the void left by disrupted or dismantled operations.
These trends indicate that the ransomware ecosystem is not contracting but rather diversifying. Encryptionless extortion is expanding, but encryption‑based attacks continue to rise as well, confirming that both approaches will coexist rather than compete.
The future of cyber extortion is not likely to be defined by the disappearance of ransomware, but by the use of multiple extortion tactics by threat groups using a flexible playbook. Threat actors increasingly select their methods based on the level of access achieved, the resilience of the victim’s environment, and the potential profitability of different coercive strategies. When defenders block the path to encryption, threat actors fall back to exfiltration. When they do achieve access, many groups still deploy ransomware for maximum business disruption. This adaptability ensures that both encryption‑based and encryptionless extortion will remain entrenched parts of the threat landscape for the foreseeable future.
About Asceris
Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.
Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.
Other recent insights