Out of the Crypt: The Evolving Cyber Extortion Economy Unit 42 reports a significant decline in ransomware encryption use, dropping to 78% in 2025 as threat actors shift to data theft and extortion without encryption. Driven by advanced backups, endpoint defenses, and regulatory pressure, pure data-exfiltration campaigns now target mid-sized firms in professional services, healthcare, and construction. This evolution weaponizes compliance deadlines like SEC and GDPR rules, forcing rapid negotiations and raising extortion costs to $5.08 million on average. Extortion Activity No Longer Requires Encryption for Payment This blog dives into the growing trend of data theft and extortion activities which no longer require the use of ransomware to pressure victims into paying a demand. We examine the financially-motivated threat actors using both single and double extortion techniques and what this means for organizations going forward, especially with the arrival of frontier AI models. Shifting Threat Landscape Observations As detailed in our 2026 Global Incident Response Report https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report , Unit 42 observed a notable decrease in the use of encryption for extortion-related cases last year. The total percentage in 2025 dropped to 78%, much lower than the near-or-above-90% levels observed between 2021-2024. Other security organizations have seen similar trends, with Google reporting https://cyberscoop.com/google-threat-intelligence-group-ransomware-report-2026/ a gradual rise in data theft and extortion incidents from approximately 2% in 2020 to 15% in 2025. Resilience also observed https://riskandinsurance.com/cybercriminals-abandon-encryption-for-data-extortion-raising-stakes-for-risk-managers/ an increase in extortion-only incidents in 2025, rising from 49% in the first half to 65% in the second half. Threat actors tracked by Unit 42 that have demonstrated a willingness to shift away from using ransomware to pure data theft and extortion include Bling Libra’s aka ShinyHunters focus on software-as-a-service SaaS applications https://therecord.media/fbi-warns-scattered-spider-salesforce and Hazy Scorpius’s aka CLOP exploitation of an Oracle EBS vulnerability https://therecord.media/fbi-uk-urge-orgs-to-patch-after-clop-campaign . When examining this precipitous drop in encryption, we see four primary drivers: advanced backup and recovery performance allowing routine re-imaging and restoration, endpoint maturity and automated disruption https://www.sophos.com/en-us/blog/the-state-of-ransomware-in-enterprise-2025 efficacy, exfiltration speed https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report and the increased pressure from regulatory frameworks https://ris.utwente.nl/ws/portalfiles/portal/324702475/Ecrime2023vPREPRINT.pdf where non-compliance fines, class-action lawsuits and systemic reputational damage are greater leverage than operational downtime. In 2025, pure data-exfiltration campaigns https://www.coveware.com/blog/2025/7/21/targeted-social-engineering-is-en-vogue-as-ransom-payment-sizes-increase heavily targeted Professional Services, Healthcare and Consumer Services firms with threat actors specifically focused on mid-sized organizations accounting for 64% of victims. Interestingly, while Manufacturing remains the single most disrupted sector overall, Construction has witnessed a 44% year-over-year increase as a data-only extortion hotspot https://industrialcyber.co/reports/ransomware-reaches-elevated-new-normal-as-attack-volumes-hold-steady-into-2026-reshape-baseline-risk-expectations/ . These firms are attractive targets due to lucrative financial blueprints and bidding data combined with data egress controls. The current data-only extortion economy is directly fueled by a heavily-regulated compliance landscape, which threat actors have effectively weaponized. Strict mandates like the SEC's 4-day disclosure window https://www.sec.gov/newsroom/press-releases/2023-139 and GDPR’s 72-hour reporting rule https://gdpr-info.eu/art-33-gdpr/ have created a regulatory countdown clock, allowing threat actors to force rapid negotiations before organizations can complete internal assessments. Because global privacy frameworks, state-level breach notification laws and post-leak class-action litigation have driven the average cost of data-theft extortion https://app.stationx.net/articles/cyber-security-breach-statistics to $5.08 million and over $10 million for broader U.S. breaches , data exposure alone carries disastrous financial liabilities. Threat actors recognize that regulatory penalties are so severe that the compliance framework itself compels corporate payouts. As recently noted https://www.paloaltonetworks.com/blog/2026/05/how-long-it-takes-to-lose-data/ by our Chief Security Intelligence Officer, Wendi Whitmore, it only took 39 seconds for threat actors to move from initial access to data exfiltration in one case. Differences in Extortion Operations Unit 42 is actively monitoring several threat actors that are continuously conducting data theft and extortion operations. The notable differences between these attackers is their use of initial access techniques and the number of extortion techniques to pressure victims into payment. Initial Access via Software Supply Chain Compromise TGR-CRI-1135 aka TeamPCP has been active since at least late 2025. According to Wired https://www.wired.com/story/teampcp-software-supply-chain-attack-spree-github/ , this group has conducted upwards of 20 distinct supply chain compromise attacks which have led to the injection of malicious code into over 500 pieces of software. We previously reported https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/ on the group’s activities earlier this year and how their malware was able to successfully exfiltrate sensitive secrets cloud access tokens, SSH keys, Kubernetes secrets from victims. In recent months, TGR-CRI-1135 has been partnering with various ransomware-as-a-service RaaS and extortion-as-a-service EaaS operators to monetize their ongoing intrusion activities. On the EaaS front, they have been collaborating with the operators of LAPSUS$ Group to extort targeted organizations via their data leak site as shown below in Figure 1. On the RaaS front, they have been working with the operators of Vect ransomware based on communications observed via the BreachForums cybercrime forum as shown in Figure 2. Unit 42 is also aware of claims by one of Vect’s affiliates, the Rostova Organization https://x.com/TweetThreatNews/status/2033921340407779648 , that they are also partnering with TGR-CRI-1135. On May 13, 2026, TGR-CRI-1135 announced the release of an open source version of Shai-Hulud on BreachForums as shown in Figure 3. Going forward, as noted in our most recent threat research article https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/ , this will likely make attribution more difficult given that copycats https://www.ox.security/blog/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here/ may leverage the tool in similar supply chain compromise attacks. One notable development related to Vect was the announcement on BreachForums shown in Figure 4 which states that those operators have been removed from the forum. It is unclear if this will have a material effect on their collaboration with TGR-CRI-1135 going forward. At this time, Unit 42 is not aware of TGR-CRI-1135 using any additional extortion techniques to pressure victims into paying their ransom demands outside of purely data exfiltration. Initial Access via Vishing Bling Libra continues their rampage of infiltrating customer SaaS tenants for data theft and extortion operations, which Unit 42 reported on extensively in 2025 https://unit42.paloaltonetworks.com/scattered-lapsus-hunters/ . The operators have distanced themselves from the cybercriminal alliance known as Scattered LAPSUS$ Hunters based on a Telegram message shown in Figure 5. However, their playbook has remained relatively unchanged based on Unit 42 observations. They continue to use vishing for initial access, directing unsuspecting victims to phishing sites designed to intercept user credentials and multifactor authentication MFA codes and ultimately registering their own devices to establish persistence within targeted environments. The operators still use the same Tox ID to communicate with victims and also maintain a Tor-based data leak site. In comparison to TGR-CRI-1135, Bling Libra uses additional extortion techniques outside of pure data theft to pressure victims into paying a ransom. Unit 42 is aware of their adoption of both distributed denial-of-service DDoS attacks and information leaks to media outlets as added leverage points to extort victims. On the flip side, an activity cluster tracked by Unit 42 as CL-CRI-1116, https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/ which overlaps with public reporting on BlackFile, has followed a similar pattern of activity in terms of a playbook-driven approach with some subtle and not so subtle nuances. While the attackers behind CL-CRI-1116 also use their own Tor-based data leak site, they do not reuse the same Tox ID across victims and typically use a different registrar to set up their phishing sites in comparison to Bling Libra. The major difference between CL-CRI-1116 and Bling Libra is the former’s use of swatting employees as a double extortion technique. This act is typically defined as placing a false emergency call to first responders, such as reporting a fake crime at a specific location to trigger a physical response. In many cases, this is expected to create chaos and can potentially even lead to acts of violence. This convergence between cyber and physical security can lead to complications if these two teams aren’t in regular communications with each other on how to address such a situation, especially as it pertains to executive protection. One recent development regarding the attackers behind CL-CRI-1116 is the closure of their former data leak site and the rebranding of their program under the name “Redact” with a new data leak site as shown in Figures 6 and 7. Looking Forward In recent weeks, Palo Alto Networks has been at the forefront of providing guidance to organizations on how to secure their environments from the inevitable weaponization of frontier AI models like Mythos by threat actors. These models currently accelerate at finding and chaining vulnerabilities together to exploit flaws in applications and infrastructure alike. For example, Anthropic recently disclosed https://www.securityweek.com/anthropic-mythos-detected-23000-potential-vulnerabilities-across-1000-oss-projects/ how Mythos was able to identify approximately 23,000 potential vulnerabilities across 1,000 open source software projects. We have also observed in AI-assisted scenarios that the time from initial access to data exfiltration has dropped to as little as 25 minutes https://www.paloaltonetworks.com/blog/2026/05/frontier-ai-defense/ . With this in mind, what do extortion activities, regardless of initial access vector or use of single vs double techniques, look like in the age of frontier AI models? In terms of software supply chain compromise, TGR-CRI-1135 has already targeted AI environments https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access as part of their ongoing campaigns, but what if they were able to weaponize a frontier AI model to further accelerate the speed and scale of their intrusion activities? This would compound the already complex problem of organizations trying to secure their application development and CI/CD pipelines from these types of attacks. The recent disclosure of the SymJack https://www.securityweek.com/symjack-attack-turns-ai-coding-agents-into-supply-chain-attack-delivery-systems/ is a prime example of how AI agents could be leveraged in these types of attacks. With regards to vishing, AI-powered call center platforms like ATHR https://www.bleepingcomputer.com/news/security/new-athr-vishing-platform-uses-ai-voice-agents-for-automated-attacks/ can nearly fully automate these attacks for human operators by utilizing AI agents to manage calls and other aspects of the intrusion lifecycle. This service not only lowers the barriers to entry for less sophisticated cybercriminals but also further accelerates attacks for more sophisticated threat actors like Bling Libra. The incorporation of frontier AI models into a platform like this would only exacerbate the speed and scale of attacks leveraging this type of capability. We believe there is an approximate window of 3-5 months https://www.paloaltonetworks.com/blog/2026/05/defenders-guide-frontier-ai-impact-cybersecurity-may-2026-update/ before these frontier AI models are weaponized by threat actors. The time is now for organizations to capitalize on a moment where we as defenders can truly establish a “left of bang” posture against a volatile threat landscape. Defensive Recommendations Data Exfiltration Detection and Prevention - Deploy data loss prevention DLP controls at cloud, endpoint, and network egress points. - Baseline and alert on abnormal egress volume and velocity. - Monitor for staging behavior. SaaS Security Posture Management - Audit OAuth token grants, third-party app integrations, and API permissions across SaaS platforms. - Enforce conditional access policies that restrict SaaS sessions by device compliance, location, and risk score. - Implement SaaS audit log aggregation and anomaly detection. Identity and Vishing Resilience - Migrate from OTP-based MFA to phishing-resistant authentication FIDO2/WebAuthn hardware keys . - Implement help desk identity verification procedures that cannot be socially engineered. - Conduct targeted vishing simulation exercises. Software Supply Chain Integrity - Implement software composition analysis SCA and dependency pinning in CI/CD pipelines. - Rotate and vault all secrets exposed to CI/CD environments. - Monitor package registries for typosquatting and unauthorized updates to internal or frequently-used packages. - Enforce code signing and provenance verification for all artifacts entering production. AI-Accelerated Threat Preparedness - Pressure-test detection and response capabilities against compressed attack timelines. - Prioritize vulnerability remediation for internet-facing and AI-discoverable attack surfaces. - Deploy voice authentication and call verification controls for inbound calls. The Unit 42 AI Security Assessment https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment can help empower safe AI use and development. Unit 42 Deep and Dark Web https://www.paloaltonetworks.com/resources/datasheets/unit-42-deep-and-dark-web-service is a service that assists with gaining visibility into unknown and emerging risks of content posted on the deep and dark web, informs organizations about the exposure of sensitive information, and helps reduce the time between detection and response. Unit 42 Frontier AI Defense https://www.paloaltonetworks.com/blog/2026/04/introducing-unit-42-frontier-ai-defense/ is an elite service that uses access to frontier models to identify your organization's likely attack paths before attackers can weaponize them. If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team https://start.paloaltonetworks.com/contact-unit42.html or call: - North America: Toll Free: +1 866 486-4842 866.4.UNIT42 - UK: +44.20.3743.3660 - Europe and Middle East: +31.20.299.3130 - Asia: +65.6983.8730 - Japan: +81.50.1790.0200 - Australia: +61.2.4062.7950 - India: 000 800 050 45107 - South Korea: +82.080.467.8774