Online Extortion Is the New Ransomware: Why Hackers Just Want Your Data
“It’s MUCH easier to steal data and threaten to leak it to the world, than to go to all the trouble of developing and deploying ransomware,” shared Matt Durrin, director of research and training for LMG Security. Attackers are increasingly bypassing encryption altogether and going straight for your data. Instead of locking down systems, they’re quietly stealing sensitive information and threatening to leak it if you don’t pay up. So, if your organization is still focused solely on ransomware and not planning for online extortion, you could be missing the bigger threat.
Let’s dive into the growing trend of data-only extortion, the shift away from traditional ransomware, and how your organization can stay ahead of this rapidly changing threat landscape.
Ransomware Without the Ransomware
Until recently, most ransomware attacks followed a now-familiar “double extortion” model: attackers would both encrypt and steal data, demanding payment to unlock systems and prevent public exposure of stolen files. But today, we’re seeing a shift toward exfiltration-only attacks, where no ransomware is deployed at all.
Sherri Davidoff, Founder of LMG Security, described this shift as a major new trend: “At our last NetDiligence Ransomware Advisory Board meeting, one of the big trends that we called out is exfiltration-only ransomware. And I hesitate to even call it ransomware.”
Instead of deploying malware that can be detected, blocked, or mitigated with backups, attackers are simply stealing the data and demanding payment to keep it private. The approach is less technically complex, harder to detect in real time, and often just as effective for extortion.
The Rise of Extortion-as-a-Service
This evolution isn’t just about tactics; it’s about entire business models. One notable example is Hunters International, a threat actor group that originally operated in the double extortion space. According to Group IB, they’re now shutting down ransomware operations altogether and rebranding as World Leaks, a platform focused solely on selling or extorting stolen data.
“World Leaks is basically a mass data broker,” said Durrin. “They’re going to be specializing in leaking data as an extortion service.”
Sound familiar? It’s reminiscent of Marketo, a now-defunct “data breach-as-a-service” platform that notified journalists and regulators of stolen data, adding pressure on victims to pay.
These online extortion groups are developing entire platforms with built-in open-source intelligence (OSINT) capabilities, enabling them to easily identify, contact, and harass victims through phone, email, and social media. The goal: increase psychological pressure and make paying the extortion demand seem like the easiest option.
Why Hackers Are Moving Away from Encryption
Encrypting systems is complex, noisy, and risky. It requires:
- Maintaining persistent access
- Compromising privileged accounts
- Disabling security tools like EDR
- Deploying malware across the network
- Managing asymmetric encryption keys for every system
And if attackers get it wrong, like in the infamous Holiday Inn case, they may end up failing to encrypt anything at all. In that incident, when the attackers couldn’t execute ransomware successfully, they simply wiped systems instead.
Meanwhile, data theft requires far less overhead. In some cases, attackers don’t even need to prove they stole anything.
“We’ve also seen cases where criminals haven’t actually stolen the data. They’re pretending to steal it,” said Davidoff. In one case that LMG observed, the attackers refused to provide “proof of life” files, and forensic evidence showed little indication that any data had actually been exfiltrated, yet the victim still chose to pay the ransom, just to be safe.
Online Extortion Is Changing the Economics of Risk
The NetDiligence 2024 Cyber Claims Study revealed that ransomware claim amounts dropped significantly in 2022 and 2023. Why? One reason is reduced business interruption. If attackers aren’t locking up systems, IT teams can often restore from backups and resume operations quickly.
But that doesn’t mean the threat is gone—only that it’s shifting.
“Lots of IT folks are like, ‘Hey, I can just restore from backups. I don’t care anymore,’” said Davidoff. “But if your data has been stolen, well, you have other problems to deal with.”
Those “other problems” include regulatory scrutiny, brand damage, breach notification requirements, and legal liability. Even without a single encrypted file, online extortion attacks can devastate your organization.
How to Protect Your Organization from Online Extortion
You can’t stop every attack, but you can make your organization a much harder target. Here are key steps your team can take right now:
- Update Your Incident Response Plan
Many organizations still define ransomware as an encryption-only event. That’s outdated. Your incident response plan should now include extortion scenarios where no encryption is involved, but where stolen data still triggers legal, reputational, and compliance risks. If you need help creating a plan, please ask about our policy development or fractional CISO services.
- Run Tabletop Exercises Focused on Data Theft
Don’t wait until it happens. Conduct tabletop exercises that simulate exfiltration-only attacks. Include public disclosure scenarios, regulatory involvement, and PR decision-making.
“You’ve got to exercise your group muscles,” said Durrin. “You really do need to practice the public relations response.”
If you’ve only practiced restoring from backups, you’re not ready for the next wave of online extortion.
- Implement Data Loss Prevention (DLP) and Network Monitoring
Many organizations simply don’t have the visibility to detect when large amounts of data are being stolen. One recent tabletop exercise revealed that a client had no outbound monitoring or DLP in place, meaning they would never know if files were leaving the network.
Make sure your security stack includes:
-
- Perimeter flow monitoring
- DLP tools (on-prem and cloud)
- Alerts for suspicious outbound data
- Filtering for uploads to unauthorized cloud services (e.g., OneDrive, Mega.nz)
Watch our video on proactive logging and monitoring for a deeper dive.
- Harden and Segment Your Environment
Don’t make it easy for attackers. Lock down access to sensitive file shares. Segment your network. Restrict unnecessary outbound traffic. And configure conditional access policies to alert or block excessive data transfers from platforms like Microsoft 365.
“Most of the time, there is no need for large volumes of data to be moved from one point to another,” Davidoff noted.
- Know Your Cyber Insurance Coverage
Does your policy cover online extortion? Does it include PR support, legal guidance, or breach coaching? If so, great—but make sure those benefits are reflected in your response plan and that your team knows how to activate them.
Davidoff recommends a clever approach:
“Take your updated policy, throw it into your favorite AI tool along with your IRP, and ask, ‘What should I update?’ It almost feels like cheating. But that’s what we need to do.”
Plan Now for an Online Extortion Attack
Online extortion is no longer limited to locked-up files and downtime. If you want to stay ahead of today’s evolving threat actors, now is the time to strengthen your defenses against online extortion attacks before your organization becomes the next victim. Please contact us if you need support for policy development, tabletop exercises, testing, or training.