Why Ransomware Groups Are Abandoning Encryption
For more than a decade, the ransomware business model was defined by a single technical step: encrypt the victim’s files, demand payment for the decryption key, and profit from the operational paralysis that encryption creates. Backup-based defenses were developed in response — restore from clean backups, refuse to pay, accept a few days of downtime. For a significant fraction of organizations that invested in offline or immutable backups, this defense worked. Ransomware groups noticed.
Publicly reported ransomware attacks rose 47% year-over-year in 2025 — from approximately 4,900 recorded incidents in 2024 to 7,200 in 2025 — while ransomware revenues paradoxically declined over the same period. This divergence reveals the mechanism: the backup defense was working well enough to depress payment rates, reducing revenue per attack even as attack volume grew. The response from threat actors has been rational and rapid: if encryption is the component that victims have learned to counter, remove encryption from the equation.
The exfiltration-only model is operationally simpler and cheaper. Encryption requires deploying ransomware binaries across the victim’s environment — a noisy process that triggers endpoint detection tools. Exfiltration requires only valid credentials, a data staging server, and patience. No encryption key management, no decryptor delivery infrastructure, no negotiation over “proving” files can be recovered. The threat is simpler and arguably more psychologically effective: “We have your data, and we will publish it in 72 hours unless you pay.” Unlike encrypted files, data cannot be restored from backup. The extortion leverage is permanent.
Q1 2026 threat data confirms the structural nature of this shift. The Gentlemen ransomware group, which uses exclusively exfiltration-based extortion, grew from 35 victims in Q4 2025 to 182 victims in Q1 2026 — a 420% quarter-over-quarter increase. Qilin remained the most active overall group with 361 Q1 2026 victims, though that represented a 25% decrease from its Q4 2025 peak. NightSpire, a newer group that emerged in Q1 2026, targets unpatched network edge devices using CVE-2024-55591 and uses exfiltration without encryption as its primary extortion mechanism. Manufacturing was the most targeted sector in Q1 2026, with construction rising 44% year-over-year to enter the top five industries. The United States accounted for 51% of Q1 2026 victims.
Advertisement
Three Structural Changes to Your Incident Response Posture
The exfiltration-only shift requires a fundamentally different incident response posture. The backup-centric response model — isolate, restore, resume — addressed encryption but has no effect on data already exfiltrated. Three structural changes are required.
1. Treat Data Classification as an Incident Response Prerequisite
When an exfiltration-only group threatens to publish data unless paid, the first question the CISO must answer is: what data was exfiltrated, and what are the regulatory and reputational consequences of its publication? Without a current, accurate data classification inventory, this question cannot be answered in the 72-hour window that most extortion threats provide.
Data classification must identify at minimum: which systems contain personally identifiable information (PII) triggering GDPR or equivalent notification obligations, which systems contain intellectual property whose public disclosure would harm competitive position, which systems contain data covered by contractual confidentiality with clients, and which systems contain data whose publication would create legal liability (attorney-client privileged communications, healthcare records, financial data subject to insider trading rules). This classification must be documented, reviewed annually, and readily accessible to incident response teams — not stored in a SharePoint folder that requires two VPNs to access during a crisis.
Organizations that completed this classification exercise as part of ISO 27001 implementation or GDPR compliance have a direct advantage: they can identify the blast radius of a given exfiltration event within hours rather than days. Organizations that have not completed it will make breach notification decisions — to regulators, to customers, to the media — without knowing what was actually taken.
2. Deploy Data Loss Prevention Controls on Exfiltration Paths
Backup immutability prevents encryption damage but does nothing to detect or block exfiltration. Data Loss Prevention (DLP) controls — applied at the network egress, at the endpoint, and at the cloud storage layer — provide detection and prevention capability that specifically addresses the exfiltration-only threat model.
Network DLP at the perimeter can detect large-volume data transfers to unusual external destinations — particularly staging servers on newly registered domains or cloud storage accounts that are not approved business applications. Endpoint DLP can prevent bulk file transfers to USB devices or unapproved cloud sync clients. Cloud DLP can scan SaaS applications for anomalous data sharing — an attacker who has compromised a user’s Microsoft 365 credentials may stage data in a shared OneDrive folder before exfiltrating it.
The most common enterprise gap is in the cloud layer. Modern exfiltration techniques increasingly use the victim organization’s own cloud storage credentials to stage and exfiltrate data — bypassing perimeter DLP that only inspects external traffic because the staging destination is a SharePoint site or AWS S3 bucket within the corporate account boundary. Apply DLP policies to internal-to-internal large data movements, not only to external egress.
3. Pre-Negotiate Breach Response Retainer Before an Incident Occurs
The 72-hour extortion window that exfiltration-only groups typically impose creates a negotiation challenge that organizations without prior preparation cannot meet. Before an incident, engage a cybersecurity firm with demonstrated ransomware negotiation experience under a retainer agreement. The retainer costs USD 15,000–30,000 per year for most mid-market organizations and provides immediate access to: negotiators who understand attacker psychology and current threat group payment patterns, threat intelligence analysts who can attribute the attack and assess whether the group has a track record of publishing data after payment, and legal counsel familiar with the regulatory dimensions of ransom payment in relevant jurisdictions.
Without a retainer, finding qualified negotiation support during an active incident takes 24–48 hours minimum — time spent while the extortion clock is running. The attacker’s 72-hour deadline is partly a pressure tactic but is also sometimes real: threat groups have published data when their deadline passed without contact, creating the notification and regulatory exposure that payment was intended to avoid.
The retainer decision also includes a critical policy question: does your organization’s board have a pre-approved ransom payment authorization framework? In exfiltration-only incidents, the board will be asked within 48 hours whether to pay. Organizations that have never discussed this question will discover that getting board consensus on a payment authorization during a live incident, with legal counsel not yet retained, is slower and more damaging than the incident itself.
What Comes Next
The exfiltration-only shift is not the final evolution of the ransomware business model — it is the current iteration in a continuous adaptation cycle. Recorded Future’s 2026 threat forecast predicts that 2026 will be the first year new ransomware actors outside Russia outnumber those within it, signaling geographic diversification of the ecosystem. DDoS-as-a-Service is being bundled with exfiltration-only extortion as a secondary pressure lever. Insider recruitment — ransomware operators paying employees to provide credentials or disable security controls — is documented in multiple 2025 cases, including an attempted recruitment of a BBC reporter.
The organizations most at risk from the exfiltration-only model are those whose defense investment concentrated entirely on backup resilience and endpoint encryption-detection — both entirely rational responses to the previous threat model. The current model requires layered investment in data classification, DLP, and negotiation preparedness that most organizations have not made. The adjustment window is not long: groups like The Gentlemen are demonstrating that purely exfiltration-based campaigns can scale rapidly, moving from niche to dominant tactic within a single quarter.
The incident response posture must now account for an adversary who has already won before encryption starts — because encryption never starts. The question is no longer “can we recover?” It is “what are the consequences of publication, and are we prepared to manage them?”
Frequently Asked Questions
Q: If an attacker only exfiltrates data without encrypting, does paying the ransom guarantee they will not publish it?
No — and this is the core asymmetry of the exfiltration-only model. With encryption-based ransomware, the attacker’s incentive to provide the decryptor is aligned with future revenue (reputation for delivering decryptors attracts future payments). With exfiltration-only extortion, the data copy exists on the attacker’s infrastructure regardless of payment. Some groups have honored payment by not publishing; others have accepted payment and published anyway, or sold the data to other threat actors. Threat intelligence retainers include assessments of specific groups’ historical payment behavior, which is the most reliable guide — but it is not a guarantee.
Q: How does exfiltration-only extortion interact with GDPR or similar data protection regulations?
If the exfiltrated data includes personal data of EU residents, GDPR Article 33 requires notification to the relevant supervisory authority within 72 hours of becoming aware of the breach — regardless of whether a ransom is paid or the data is published. Paying the ransom does not eliminate the regulatory notification obligation. Some organizations have argued that paying prevents publication and therefore prevents harm, and that notification is therefore unnecessary — this argument has been consistently rejected by EU data protection authorities. Notification is required upon awareness of the breach, not upon confirmation of harm.
Q: What sectors are most targeted by exfiltration-only groups in 2026?
Q1 2026 data identifies manufacturing as the top target overall, with construction rising 44% year-over-year to enter the top five. Healthcare has historically been the highest-consequence target due to the sensitivity of its data, and remains heavily targeted. Financial services and technology companies are consistent top-five sectors. The geographic concentration in Q1 2026 was heavily US-weighted (51% of victims), but threat groups are explicitly expanding geographically — Recorded Future predicts 2026 will mark the first year new actors outside Russia outnumber those within it.
—
Sources & Further Reading
- Ransomware Tactics and Trends 2026 — Recorded Future
- The State of Ransomware 2026 — BlackFog
- Ransomware Reaches Elevated New Normal in 2026 — Industrial Cyber
- Zero-Days, Data Breaches and AI Risks Define Cybersecurity Landscape in 2026 — eSecurity Planet
- MITRE ATT&CK — Exfiltration Techniques — MITRE
