Ransomware gangs are shifting from encryption to pure extortion, focusing on stolen data, reputational pressure, and stealthier attacks.
Ransomware groups are quietly changing strategy in 2026. Instead of encrypting systems and causing immediate disruption, many attackers are now focusing on pure extortion: stealing sensitive data and threatening to leak it publicly if victims refuse to pay.
This shift is happening for a simple reason. Encryption is noisy, risky, and easier for defenders to detect. Data theft is often faster, quieter, and in many cases more profitable.
Several recent reports suggest attackers are increasingly prioritizing credential theft, long-term access, and exfiltration over traditional ransomware deployment. The pressure point is changing too. Companies are no longer paying just to restore operations, they are paying to avoid reputational damage, regulatory fallout, and exposure of sensitive internal documents.
The biggest incidents of the past months show the same pattern again and again: attackers are causing enormous damage without encrypting systems at all.
The shift is now visible at scale.
According to Kaspersky’s State of Ransomware 2026, ransom payment rates have collapsed from roughly 76% in 2019 to just 28% in 2026. In practice, fewer than one in three victims now pays.
“The new model is pure data extortion: steal it, threaten to publish it, monetise either through victim payment or, increasingly, direct resale on the data leak site. In May 2026 this isn’t an exotic experiment.” reads the report published by the Ransomnews Research Team. “It’s the default playbook.” continues the report.
Attackers adapted because the old model became less effective. Better backups, stricter cyber-insurance rules, regulatory pressure, and improved incident response reduced the profitability of large-scale encryption campaigns.
Encryption also creates operational problems for attackers. It generates forensic evidence, triggers EDR alerts, and gives defenders time to react.
“The shift is rational. Encryption is operationally expensive for the attacker, it leaves loud forensic artifacts, triggers EDR alerts on file-rewrite patterns, requires per-victim key management, and exposes the operator to law-enforcement decryption assistance.” continues the report.”Extortion-only attacks are faster, quieter, and far harder for backup-and-restore strategies to neutralise. The data is already out the door before the victim notices.”
The numbers behind recent attacks explain why this model is becoming dominant.
In May 2026, ShinyHunters claimed to have stolen around 3.65 TB of data from Instructure, the company behind Canvas LMS. The leak allegedly affected roughly 275 million students, teachers, and staff across approximately 9,000 educational institutions.
Around the same period, the Nitrogen gang targeted Foxconn’s North American operations, reportedly exfiltrating:
- 11 million files
- nearly 8 TB of internal data
- technical drawings
- project documentation
- confidential manufacturing information
In both cases, encryption was either absent or secondary. The pressure came entirely from data exposure.
That changes the defensive equation significantly.
Traditional ransomware response plans focused heavily on:
- restoring systems,
- recovering encrypted files,
- rebuilding infrastructure,
- and negotiating decryption keys.
But when attackers skip encryption entirely, those controls lose much of their value. Organizations can restore systems quickly and still suffer a catastrophic breach because the stolen data already exists outside their control.
The economics have changed too:
“When the leak site itself is the product, the victim’s negotiation position weakens dramatically.” states the report. “The most important strategic shift is the one with the least technical content. In the 2020 model, the data leak site was a coercion device: pay or we publish. In the 2026 model, the data leak site is the product. Operators have built downstream relationships with carders, identity-fraud rings, and (in some confirmed cases) sanctioned intelligence services that purchase exfiltrated datasets directly. Victim payment is no longer the only, or even the primary, revenue channel for some operators.”
Leak sites are no longer just pressure tools. They became marketplaces. Stolen datasets are increasingly monetized through resale to fraud groups, identity theft operations, and other criminal buyers even if victims refuse to pay.
Another major trend in 2026 is the widespread adoption of EDR-killer utilities.
Attackers now routinely disable endpoint detection systems before beginning reconnaissance or exfiltration. The most common method remains BYOVD (Bring Your Own Vulnerable Driver), where attackers load signed but vulnerable Windows drivers to terminate security tools at kernel level.
What used to be considered advanced tradecraft in 2024 is now becoming standard even among mid-tier ransomware affiliates.
Operational timelines are also shrinking:
- Initial access to reconnaissance: often 2–7 days
- Data exfiltration: sometimes completed in 1–4 days
- Public leak-site listing: often within hours after exfiltration
By removing the encryption phase entirely, attackers cut several days from the attack lifecycle while also eliminating the loudest detection stage.
For defenders, this means the old ransomware playbook is no longer enough.
The priority is shifting toward:
- exfiltration detection,
- outbound traffic monitoring,
- cloud-storage abuse detection,
- off-host logging,
- DLP controls,
- and rapid disclosure readiness.
Backups still matter. But backups alone do not protect against a public data leak involving millions of records or years of intellectual property.
The uncomfortable reality is that ransomware did not become weaker. It became quieter, faster, and more focused on long-term data exposure instead of immediate operational disruption.
“It would be easy to read the encryption-less shift as good news. After all, encryption was the part of ransomware that did the most operational damage to victims, locked systems, broken supply chains, halted hospitals. If operators stop encrypting, isn’t that a defensive win?” concludes the report. “Not exactly. The reduction in encryption is balanced by an increase in the scope and persistence of the data exposure. A 275-million-record dataset on a public leak site is a 30-year liability for the victims of that data. A 10-million-file Foxconn dump rewrites the threat models of every downstream brand whose IP it touches. The visible operational damage is smaller. The invisible long-tail damage is much larger.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
