The notification arrives Monday morning. A ransomware group posted your organization's name on their data leak site. Financial records, customer data, and proprietary source code are listed as stolen. The group demands payment by Friday or they publish everything. Your security team examines the network. No files are encrypted. No systems are down. Backups remain intact and operational. The ransomware never deployed. The attackers simply stole data and skipped straight to extortion.

This represents the fundamental transformation of ransomware throughout 2025. Research shows 91% of ransomware attacks now involve data exfiltration, typically to servers in China or Russia. More significantly, Microsoft's 2025 threat report documents that data exfiltration occurred in 80% of attacks, confirming that accessing and stealing data has become the primary objective. Encryption is becoming optional. Organizations that spent years hardening backup infrastructure and practicing recovery procedures discovered that ransomware operators evolved past the need for encryption entirely.

Trend Micro's 2026 predictions characterize this shift explicitly. Ransomware is evolving into an AI-powered ecosystem capable of identifying victims, exploiting weaknesses, and negotiating with targets via automated extortion bots. Threat researchers expect these campaigns to become faster, harder to trace, and more persistent, driven by data rather than encryption alone. The technical mechanics of ransomware changed because organizations eliminated the leverage that encryption provided.

Why encryption lost its value

The statistics reveal why attackers abandoned encryption-first tactics. Approximately 97% of organizations with encrypted data can now recover it, primarily through backups. Recovery times improved dramatically. In the UK, 57% of organizations recover within one week, up from 34% the previous year. Organizations invested heavily in backup infrastructure, implemented immutable storage, tested recovery procedures, and deployed rapid restoration capabilities. Encryption became a nuisance rather than a crisis.

Payment rates reflect this shift. In exfiltration-only cases, only 19% of victims paid ransoms. Victims are more willing to gamble that leaks won't be damaging or that criminals won't follow through on threats. When encryption is involved, payment rates increase because operational disruption compounds the extortion pressure. But when backups work reliably, encryption provides no additional leverage. Attackers recognized this and adapted.

The technical complexity of encryption also became a liability. Deploying ransomware requires executing code on target systems, which security tools detect. Encryption is computationally intensive and generates observable system activity. Even when successfully deployed, 70% of ransomware attacks in 2024 led to encryption, down from 76% in 2023. Attackers increasingly concluded that encryption was high-effort, high-risk, and low-reward when data theft alone provided sufficient extortion leverage.

The operational model of pure data extortion

Groups like Karakurt and Lapsus$ pioneered this approach. Both leverage data extortion-only methods in their campaigns. Neither group deploys ransomware on compromised systems. They exfiltrate data and use the stolen information as leverage. The attack sequence is straightforward. Gain access through compromised credentials or exploited vulnerabilities. Identify high-value data through automated scans searching for keywords like financial, confidential, proprietary, or customer. Stage data for exfiltration using legitimate tools like Rclone or MEGAsync. Transfer data gradually, disguised as normal network traffic. Issue extortion demand once exfiltration completes.

Detection becomes difficult because every step uses legitimate protocols and tools. Attackers exploit commonly used protocols like HTTP, HTTPS, and DNS for exfiltration. These protocols handle legitimate traffic constantly, making malicious transfers invisible without behavioral analysis. The data movement itself appears operational. Rclone syncs to cloud storage, which organizations use routinely. File compression with 7Zip or WinRAR is standard practice. FTP transfers occur constantly in enterprise environments. Without understanding what the behavioral timeline attempts to accomplish, these activities look normal.

Trend Micro predicts that AI-driven extortion bots will engage victims directly in ransom negotiations throughout 2026. Some groups, like the Global Group Ransomware syndicate, already experiment with automated negotiation agents. Automation extends to analyzing stolen data for secondary extortion opportunities, rapidly identifying high-value vulnerabilities, and crafting targeted coercion tactics. The entire operation (from reconnaissance through negotiation) operates autonomously without requiring human operators for tactical decisions.

What attackers accomplish through data exfiltration

The behavioral timeline of data exfiltration reveals structured intent. Attackers don't randomly copy files. They execute targeted searches using keywords related to business operations, financial documents, accounting, non-disclosure agreements, confidential information, and credential stores. This triage process identifies sensitive data worth leveraging for extortion. The behavioral timeline shows reconnaissance (identifying accessible data), collection (staging files for transfer), and exfiltration (moving data to attacker-controlled infrastructure). Each phase exhibits patterns that distinguish operational data management from malicious data theft.

The timeline extends across days rather than hours. Global median dwell time for ransomware-related incidents is five days when attackers notify victims, but the initial access often occurs weeks earlier. Attackers spend time exploring the environment, identifying valuable data, and gradually exfiltrating information to avoid triggering volume-based alerts. The slow, deliberate pace allows them to maximize data collection before detection.

Once exfiltration completes, the leverage persists indefinitely. Even if organizations refuse to pay, stolen data enables endless extortion potential. Attackers sell data on cybercrime forums. The information fuels secondary attacks through credential reuse, SIM swapping, and social engineering. Personal data from one breach becomes the attack vector for future campaigns. A single exfiltration event creates ongoing risk that encryption-only ransomware never provided.

Attackers layer multiple extortion methods. They threaten to leak data publicly. They contact regulators to trigger compliance investigations. They reach out directly to affected customers or employees. They sell data to competitors. This triple extortion model applies escalating pressure through reputational damage, regulatory consequences, and operational disruption, all without encrypting a single file.

Why detecting exfiltration requires behavioral analysis

Traditional ransomware detection focused on encryption activity. Security tools monitored for rapid file modifications, mass encryption operations, and ransomware process execution. These indicators became irrelevant when attackers stopped encrypting. Organizations that only practiced restoring from backups are not ready for the next wave of extortion.

The detection problem is structural. Data exfiltration behavioral timelines must be distinguished from operational data management behavioral timelines. Legitimate backups, cloud synchronization, and file transfers occur constantly. Security teams need visibility into what each behavioral timeline attempts to accomplish based on the pattern of activity rather than individual events.

When a behavioral timeline exhibits reconnaissance patterns (systematic file searches using keywords like "confidential" or "financial," enumeration of network shares, discovery of database schemas), that structure indicates preparation for data theft. When it follows collection patterns (staging large volumes of diverse file types in temporary directories, compressing files outside normal backup schedules, organizing data into thematically grouped archives), that structure indicates exfiltration preparation. When it executes transfer patterns (sustained outbound connections to unfamiliar cloud storage, FTP uploads outside business hours, DNS tunneling to exfiltrate data), that structure indicates active theft.

DeepTempo evaluates behavioral timelines of flows between endpoints to identify these patterns. The foundation model learns structural signatures of what data exfiltration behavioral timelines look like, what operational backup behavioral timelines look like, and what reconnaissance behavioral timelines look like. Classifiers interpret those patterns to determine malicious intent. The approach works because attackers cannot make the exfiltration behavioral timeline structure look normal while accomplishing the objective of stealing massive amounts of sensitive data.

Closing note

The transformation from encryption-based ransomware to pure data extortion throughout 2025 reflected organizations' success in neutralizing encryption through improved backup capabilities. Attackers adapted by eliminating the unnecessary step of encryption and focusing exclusively on the leverage that data theft provides. Ransomware payment rates declined, double extortion became standard, and groups developed increasingly sophisticated methods for identifying, exfiltrating, and monetizing stolen data.

The detection challenge shifted from identifying encryption activity to distinguishing malicious data exfiltration from operational data movement. This requires analyzing behavioral timelines rather than individual events, understanding what each sequence of activity attempts to accomplish, and identifying structural patterns that reveal intent. Organizations that built security architectures around preventing encryption discovered that the threat evolved beyond their defensive model. The question is whether detection capabilities can identify data theft behavioral timelines before exfiltration completes.

MITRE: Collection, Exfiltration, Impact

Related reading:

Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!