Skip to main content
Emerging ThreatsMalware & Ransomware

Cyber Extortion Economy Shifts Away From Ransomware Encryption

Concerned individuals walk down a modern office corridor lined with server racks and filing cabinets, with a focused laptop…
"it only took 39 seconds for threat actors to move from initial access to data exfiltration in one case," said Wendi Whitmore, Unit 42’s Chief Security Intelligence Officer.

Encryption Decline and the Rise of Data-Only Extortion

Unit 42’s 2026 Global Incident Response Report documents a marked shift: the use of encryption in extortion-related cases fell to 78% in 2025, down from near-or-above-90% during 2021–2024. Other providers reported parallel trends: Google observed data-theft-and-extortion incidents rising from about 2% in 2020 to 15% in 2025, and Resilience recorded extortion-only incidents increasing from 49% in the first half of 2025 to 65% in the second half.

The change is driven by four forces named by Unit 42: improved backup and recovery allowing routine re-imaging, stronger endpoint maturity and automated disruption, faster exfiltration capabilities, and the leverage of regulatory frameworks. Unit 42 highlights strict mandates such as the SEC’s four-day disclosure window and GDPR’s 72-hour reporting rule as creating a “regulatory countdown clock” that threat actors exploit. The financial stakes are explicit: Unit 42 cites an average cost of data-theft extortion at $5.08 million, and over $10 million for broader U.S. breaches.

Targets in 2025 skewed to Professional Services, Healthcare and Consumer Services, with mid-sized organizations accounting for 64% of victims. Manufacturing remained the single most disrupted sector overall, while Construction saw a 44% year‑over‑year increase in data-only extortion incidents.

TGR-CRI-1135 (TeamPCP) and Software Supply Chain Compromise

Unit 42 tracks TGR-CRI-1135 (aka TeamPCP) as active since at least late 2025. Wired reported the group conducted upwards of 20 distinct supply-chain compromise attacks that injected malicious code into over 500 pieces of software. Unit 42 documented that this group’s malware successfully exfiltrated sensitive secrets — cloud access tokens, SSH keys and Kubernetes secrets — from victims.

TGR-CRI-1135 has monetized intrusions by partnering with extortion-as-a-service and ransomware actors. Unit 42 observed collaboration with LAPSUS$ operators via data leak sites and communications linking them to Vect ransomware on BreachForums, where an affiliate called the Rostova Organization also claimed ties. On May 13, 2026, the group announced the release of an open-source version of a tool called Shai-Hulud on BreachForums; Unit 42 warns that public tooling may make attribution harder as copycats adopt the same capabilities. Separately, Unit 42 noted a BreachForums posting that Vect operators were removed from the forum, though the operational impact is unclear.

Unit 42 does not currently observe TGR-CRI-1135 using extortion techniques beyond pure data exfiltration.

Bling Libra, Vishing, CL-CRI-1116 (BlackFile), and Double Extortion

Bling Libra (aka ShinyHunters) continues to target customer SaaS tenants using vishing: phone-based social engineering that directs victims to phishing sites to capture credentials and one-time codes, then registers attacker devices for persistence. Unit 42 reports the group uses a persistent Tox ID to communicate with victims and operates a Tor-based data leak site. Unlike TGR-CRI-1135, Bling Libra also employs additional extortion techniques including distributed denial-of-service attacks and information leaks to media outlets.

Unit 42 also follows an activity cluster called CL-CRI-1116, which overlaps with public reporting on BlackFile. CL-CRI-1116 runs its own Tor leak site but does not reuse the same Tox ID and typically uses different registrars for phishing domains. The cluster has added “swatting” — false emergency calls to trigger a physical response — as a double extortion lever. Unit 42 documents a closure of the cluster’s previous data leak site and a rebranding under the name “Redact” with a new leak site.

Frontier AI, Mythos, ATHR, SymJack and a Compressed Attack Timeline

Unit 42 warns that frontier AI models are accelerating attack discovery and chaining. Anthropic’s Mythos reportedly identified about 23,000 potential vulnerabilities across 1,000 open-source projects. Unit 42 has observed AI-assisted attacks that compress the timeline: in some cases initial access to data exfiltration dropped to as little as 25 minutes, and the firm believes there is an approximate 3–5 month window before frontier models are weaponized by threat actors.

Unit 42 notes TGR-CRI-1135 has already targeted AI environments and raises the hypothetical of AI agents compounding supply-chain compromise risks. On the vishing front, AI-powered call-center platforms such as ATHR can automate calls and aspects of intrusion lifecycles, lowering barriers for less sophisticated criminals and accelerating operations for groups like Bling Libra. Unit 42 also cites the recent disclosure of SymJack as an example of how AI agents could be used in such attacks.

Defensive Steps: SaaS, Identity, Supply Chain and AI-Preparedness

  • Data exfiltration: deploy DLP at cloud, endpoint and egress points; baseline and alert on abnormal egress volume and velocity; monitor for staging behavior.
  • SaaS posture: audit OAuth grants, third-party integrations and API permissions; enforce conditional access by device compliance, location and risk score; aggregate SaaS audit logs and detect anomalies.
  • Identity and vishing resilience: migrate from OTP-based MFA to phishing-resistant FIDO2/WebAuthn hardware keys; implement help-desk identity procedures resistant to social engineering; run targeted vishing simulations.
  • Software supply chain: add software composition analysis and dependency pinning in CI/CD; rotate and vault secrets in CI/CD; monitor package registries for typosquatting and unauthorized updates; require code signing and provenance checks for artifacts.
  • AI readiness: pressure-test detection and response against compressed timelines; prioritize remediation for internet-facing and AI-discoverable attack surfaces; deploy voice authentication and call verification controls.

Unit 42 offers several services — an AI Security Assessment, Deep and Dark Web monitoring and a Frontier AI Defense service — and provides incident response contact numbers for regions including North America, the UK, Europe, Asia and others.

For organizations facing a compliance-driven extortion economy and an accelerating AI threat, the facts in Unit 42’s analysis are spare and stark: attackers are shifting away from encryption, regulators have become leverage, and AI is compressing windows for detection. The firm’s timing is emphatic — act now, while defenders still hold a 3–5 month window to harden the most exposed lanes.

https://unit42.paloaltonetworks.com/cyber-extortion-economy/