Unit 42 researchers analyze the shift in the cyber extortion economy away from ransomware encryption toward pure data theft and extortion. In 2025, encryption use in extortion cases dropped to 78%, down from near 90%+ in prior years, driven by improved backup/recovery, endpoint maturity, faster exfiltration, and regulatory pressure (SEC 4-day disclosure, GDPR 72-hour rule). Key threat actors profiled include TGR-CRI-1135 (supply chain attacks via software compromise), Bling Libra (SaaS vishing campaigns with DDoS and media leak pressure), and CL-CRI-1116/BlackFile (using swatting as a physical extortion tactic). The post also warns that frontier AI models like Mythos are expected to be weaponized within 3-5 months, compressing attack timelines to as little as 25 minutes from access to exfiltration. Defensive recommendations cover DLP, SaaS posture management, phishing-resistant MFA, software supply chain integrity, and AI-accelerated threat preparedness.
Table of contents
Extortion Activity No Longer Requires Encryption for PaymentShifting Threat Landscape ObservationsDifferences in Extortion OperationsLooking ForwardDefensive RecommendationsSort: