Ransomware is no longer only about locking systems and demanding payment to unlock them. A growing number of attacks now skip encryption altogether. Instead, attackers steal sensitive data and threaten to leak it unless the victim pays.

This shift changes the risk for businesses. Even if you can restore your systems from backups, you may still face extortion, legal exposure, and reputational damage if your data is taken. Recent threat response data shows this is no longer an edge case. It’s becoming a mainstream tactic.

TL;DR

• Data-only extortion incidents have grown 11x year over year.
• Around 22% of recent extortion cases involved data theft without any encryption.
• Ransomware, data extortion, and business email compromise (BEC) together account for the vast majority of incident response cases handled by major security providers.
• In many ransomware attacks, data theft happens alongside encryption, increasing pressure on victims.
• Backups alone don’t solve this problem. Data protection and access control matter just as much.

Why Data-Only Extortion Is Rising

Traditional ransomware worked because victims had no easy way to recover encrypted systems. That leverage is weakening. Many organizations now have better backups, cloud recovery options, and incident response playbooks.

Attackers are adapting. Instead of relying only on encryption, they are stealing sensitive data first. Then they threaten to publish or sell it if the ransom is not paid. This puts pressure on victims in a different way. Downtime is one issue. Public exposure, compliance penalties, and loss of trust are another.

Threat response data shows how fast this shift is happening. Data-only extortion cases have increased sharply over the past year. What was once rare now makes up a significant share of extortion incidents.

This also changes how victims assess impact. Even if systems come back online quickly, the damage from leaked customer records, internal emails, or financial data can last much longer.

How Attackers Are Getting In

The techniques attackers use to gain access have stayed fairly consistent. What stands out is how often basic security gaps are still working.

Business Email Compromise (BEC)

BEC remains one of the most common attack paths. It usually starts with phishing or credential theft. Once attackers gain access to an email account, they watch conversations and insert themselves into payment workflows.

Finance teams, executives, and legal departments are frequent targets. A single convincing message can lead to fraudulent wire transfers or exposure of sensitive documents. BEC continues to account for a large share of real-world incidents.

Remote Access Abuse

Remote access tools are another weak spot. Exposed RDP services, poorly secured VPNs, and remote management tools are often used as entry points. In many cases, attackers don’t need to exploit a complex vulnerability. Stolen or weak credentials are enough.

Once inside, attackers move laterally, map the network, and locate high-value data. Data theft often happens quietly before any ransom demand appears.

Credential Theft Over Exploits

While software vulnerabilities still matter, many incidents do not involve zero-day exploits. Phishing, password reuse, and weak authentication are easier to scale. Attackers follow the simplest path that works.

What the Numbers Say

Recent incident response data highlights how ransomware tactics are shifting:

• Data-only extortion cases have grown by more than ten times in a year, showing how fast attackers adapt.
• Roughly one in five extortion incidents now involves stolen data without encryption.
• In ransomware attacks that do use encryption, data exfiltration is now common, meaning attackers often steal data before or during the encryption stage.
• Ransomware, data extortion, and BEC together account for the majority of serious cyber incidents handled by response teams.

These numbers point to one clear trend. The threat is no longer only about availability. It’s about confidentiality.

What This Means for Organizations

This shift changes how ransomware risk should be managed.

• Backups are necessary but not enough.
  Restoring systems does not undo data theft.
• Email security needs constant attention.
  Phishing remains one of the easiest ways in.
• Remote access must be locked down.
  Exposed services and weak authentication create easy entry points.
• Data visibility is critical.
  Know where sensitive data lives and who can access it. You can’t protect what you can’t see.
• Early detection reduces damage.
  The sooner you catch an intrusion, the less data attackers can steal.

Ransomware response plans need to include data protection, not just system recovery. Legal, compliance, and communications teams should also be part of incident planning now, not only IT and security.

FAQs

• What is data-only extortion?
  It is when attackers steal sensitive data and demand payment to prevent public release, without encrypting the victim’s systems.
• Is traditional ransomware still a threat?
  Yes. Encryption-based ransomware is still common. But many attacks now include data theft as part of the extortion strategy.
• Why are attackers moving away from encryption alone?
  Better backups and recovery tools reduce the impact of encryption. Data theft creates pressure even when systems can be restored.
• Which sectors are most at risk?
  Finance, legal, healthcare, and professional services are frequent targets because of the sensitivity of the data they handle.
• Can paying the ransom stop data leaks?
  There is no guarantee. Some attackers still leak data after payment. Each case carries legal, ethical, and operational risks.
• How can organizations reduce the risk of data extortion?
  Focus on email security, strong authentication, restricted remote access, monitoring for unusual data movement, and clear incident response planning.

To Sum Up

Ransomware is no longer just about locked files. The rise of data-only extortion shows that attackers are shifting tactics to stay effective, even as defenses improve. The numbers back this up. Data theft is now a central part of many extortion campaigns.

This changes the stakes for organizations. Recovery plans matter, but they don’t stop leaks. Email security, access controls, and visibility into sensitive data are now core defenses.

If teams keep treating ransomware as only a system availability problem, they will miss the bigger risk. Today, the real damage often comes from exposed data and the long tail of consequences that follow.