The End of Encryption? Ransomware Actors Shift to Data Theft as Payments Plummet

Ransomware Groups Pivot to 'Pure Extortion' as Victim Payment Rates Collapse

INFORMATIONAL
May 25, 2026
June 11, 2026
4m read
RansomwareThreat IntelligenceData Breach

Related Entities(initial)

Organizations

Kaspersky

MITRE ATT&CK Techniques

T1041Exfiltration

Exfiltration Over C2 Channel

T1567Exfiltration

Exfiltration Over Web Service

T1560Collection

Archive Collected Data

Full Report(when first published)

Executive Summary

Cybercrime tactics are evolving in response to improved enterprise defenses. A new report from Kaspersky indicates a major strategic shift among ransomware groups away from the hallmark tactic of data encryption. Instead, many are now adopting a "pure extortion" model. This involves breaching a network, stealing sensitive data, and forgoing the deployment of ransomware altogether. The leverage then comes not from operational disruption, but purely from the threat of leaking the exfiltrated data. This change is a direct result of economic pressures: with ransom payment rates collapsing to just 28%, attackers are finding data theft to be a more reliable and profitable monetization strategy.

Threat Overview

The traditional ransomware model, known as double extortion, involves two threats: 1) data is encrypted, disrupting operations, and 2) data is exfiltrated, with a threat to leak it. The new "pure extortion" or "data theft extortion" model simplifies this by focusing only on the second part.

Drivers for the Shift:

  • Declining Payments: A Kaspersky report highlights that ransom payment rates have plummeted from 76% in 2019 to 28% today. As fewer than one in three victims pay for a decryption key, the return on investment for developing and deploying encryption malware has decreased.
  • Improved Defenses: Organizations have become much better at mitigating the impact of encryption. Robust, immutable backup and recovery strategies (M0916 - Data Backup) mean many companies can restore their systems without paying the ransom.
  • Stealth and Speed: Data exfiltration can be quieter and faster than encrypting hundreds or thousands of systems. Encrypting files is a noisy process that can trigger security alerts, while data theft can sometimes be blended with normal network traffic.

The New Pressure Point: Threat actors are now betting that the fear of reputational damage, regulatory fines (e.g., under GDPR or HIPAA), and loss of competitive advantage from a public data leak is a stronger motivator for payment than operational downtime.

Impact Assessment

This tactical shift has several implications for defenders:

  • Detection Becomes Harder: The focus shifts from detecting the noisy encryption process to detecting the stealthier data exfiltration phase. This requires a greater emphasis on monitoring outbound network traffic and identifying anomalous data transfers.
  • Prevention is Even More Critical: Once data has been exfiltrated, the damage is done. Unlike with encryption, where a successful restoration can fully mitigate the impact, stolen data cannot be 'un-stolen'. The leverage is permanent.
  • Incident Response Changes: The response to a pure extortion attack focuses less on system recovery and more on damage control: understanding what data was taken, notifying affected parties, and managing the public fallout.

Detection and Mitigation

Defending against pure extortion requires a focus on preventing the initial breach and detecting data exfiltration.

Detection

  1. Network Traffic Analysis: Implement Network Detection and Response (NDR) solutions to baseline normal traffic patterns and alert on anomalies, such as large data transfers to unexpected locations or the use of data staging tools. This is a direct application of D3-NTA: Network Traffic Analysis.
  2. Data Loss Prevention (DLP): Deploy DLP solutions on endpoints, email gateways, and network egress points to identify and block the unauthorized transfer of sensitive data.
  3. Deception Technology: Use decoy systems and data (honeypots/honeytokens) to lure attackers. Any access to these decoy assets is a high-fidelity indicator of a breach.

Mitigation

  1. Strengthen Initial Access Defenses: The best way to stop data theft is to prevent attackers from getting in. This means robust patch management, MFA everywhere, and strong email security.
  2. Data Discovery and Classification: Organizations must know where their sensitive data resides to properly protect it. Implement data classification policies and use discovery tools to find and secure crown jewel assets.
  3. Zero Trust Architecture: Adopt a Zero Trust mindset. Assume the network is hostile and require strict verification for every user and device trying to access resources. Implement network segmentation (M1030 - Network Segmentation) to limit an attacker's ability to move laterally and find valuable data.

Timeline of Events

1
May 25, 2026
This article was published

Article Updates

June 11, 2026

New report from insurer Resilience confirms data theft extortion is now dominant (65% of claims), with 30-40% of attackers leaking data even after payment.

Update Sources:
infosecurity-magazine.comExtortion-Only Attacks Surge as Data Theft Dominates

MITRE ATT&CK Mitigations

Filter Network Traffic

M1037enterprise

Monitoring and filtering outbound network traffic is the primary defense against data exfiltration.

Encrypt Sensitive Information

M1041enterprise

While this doesn't prevent theft, encrypting sensitive data at rest can make the stolen data useless to the attacker if they don't also steal the keys.

Network Segmentation

M1030enterprise

Segmenting the network makes it harder for attackers to move from a compromised endpoint to the servers where sensitive data is stored.

Sources & References(when first published)

Cyber Daily News for May 24, 2026
YouTube (youtube.com) May 24, 2026
DragonForce Strikes at HELIX INTERNATIONAL
DeXpose (dexpose.io) May 25, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RansomwareExtortionData TheftCybercrimeKasperskyThreat Trends

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.