There has been a significant rise in ransomware campaigns which do not rely on encryption as cybercriminal extortion groups shift their operations.
An increasing number of cybercriminals are relying on data theft alone to extort ransom payments out of victims, a new research paper by Symantec and Carbon Black has warned.
“Extortion-only attacks have grown immensely…In these attacks, no ransomware is deployed, the attackers simply steal data from the victim’s network and attempt to extort a ransom from victims by threatening to publish the stolen data,” said the report.
While the number of ‘traditional’ ransomware attacks has remained stable – according to Symantec, data from ransomware leak sites suggested a total of 4737 ransomware attacks during 2025, up 1% compared with 2024 – the number of encyptionless attacks has grown significantly.
Analysis of data leak sites suggests that there were almost 1500 incidents that relied on data theft alone for extortion attacks in what’s described as a “significant jump” in cyber-criminal groups leveraging the tactic. The figure for 2024 was only 28.
Encryptionless Ransomware Campaigns Exploit Supply Chain Weaknesses
According to Symantec and Carbon Black, the most commonly deployed attack vectors in encryptionless ransomware campaigns are exploitation of unpatched zero-day vulnerabilities and leveraging weaknesses in the software supply chains.
A prominent example of this during 2025 was a series of attacks by the ShinyHunters gang which hit companies around the world, including Allianz, Qantas and Google.
ShinyHunters’ campaigns specifically targeted Salesforce instances, using social engineering and voice phishing attacks to gain access to credentials for Salesforce portals and exploit this to move laterally across the network. They used this access to steal data of Salesforce users and threatened to publish it if the affected company didn’t pay a ransom.
Another cybercriminal gang increasingly engaging in extortion-only attacks is Scattered Spider, although the group still deployed regular ransomware attacks – as seen in incidents targeting Marks & Spencer and The Co-op last year.
Researchers also noted that one zero-day vulnerability which was exploited to deploy encryptionless extortion campaigns included CVE-2025-61882, a vulnerability in Oracle E-Business Suites that allowed unauthenticated attackers to remotely execute code.
These campaigns which favour data theft over deploying encryption-based ransomware are creating another cybersecurity challenge for organizations.
“While attacks involving encrypting ransomware remain as prevalent as ever and still pose a threat, the advent of new types of encryptionless attacks adds another degree of risk,” said Symantec in the research paper.
“This broadening of potential attack types presents new challenges for enterprises that not only have to maintain a robust security posture on their own networks but now also must put greater focus on the security of their software supply chain.”
It's recommended that organizations take the appropriate actions to help avoid falling victim to encryptionless extortion attacks.
"Audit all software used by your organization and ensure all security updates are applied. Strong credential hygiene is also really important. You need robust credentials and MFA should be used routinely," Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team told Infosecurity.
"Pay attention to your software supply chain, in particular third-party add-ons and extensions that may have access to enterprise applications," he added.