Ransomware Groups Are Ditching Encryption. Data-Only Extortion Is the New Playbook.

Ransomware projected costs for 2026 hit $74 billion globally, according to Cybersecurity Ventures. But the way that money gets extracted is changing. The most significant tactical shift in the ransomware ecosystem this year is the move toward data-only extortion, where attackers skip encryption entirely and focus on stealing sensitive data, then threatening to publish it unless payment is made.

Why Encryption Is Losing Appeal

Encrypting an enterprise network is noisy. It triggers endpoint detection, generates alerts, and gives defenders a window to isolate systems. The deployment phase of a traditional ransomware attack is the highest-risk moment for the attacker, the point where the operation is most likely to be detected and stopped.

Data exfiltration is quieter. Attackers who have already gained access to a network can spend days or weeks siphoning data through encrypted channels, cloud storage uploads, or compromised SaaS accounts. By the time the extortion demand arrives, the damage is already done. There is no decryption key to negotiate over. The leverage is the data itself.

Recorded Future analysis shows this trend accelerating through early 2026, with multiple ransomware-as-a-service (RaaS) platforms now offering data exfiltration toolkits as a standard affiliate feature. The shift reduces the technical bar for affiliates while increasing the pressure on victims, particularly those in regulated industries where a data breach triggers mandatory notification requirements, regulatory scrutiny, and class action exposure.

The Compliance Multiplier

This is where data-only extortion becomes especially effective against enterprises. A traditional ransomware attack that encrypts systems but does not exfiltrate data is an operational disruption. A data theft that includes customer PII, health records, or financial data is a regulatory event.

Under GDPR, CCPA, HIPAA, and the SEC's cybersecurity disclosure rules, organizations have specific timelines and obligations once they become aware of a data breach. Attackers know this. The extortion demand is calibrated to be less expensive than the combined cost of regulatory fines, legal fees, and reputational damage. Many organizations run the math and pay.

The Panera Bread breach in January 2026 is a case study. The ShinyHunters group exfiltrated 5.1 million customer records and published a 760 MB archive after Panera refused to pay. The result: multiple class action lawsuits and a remediation cost that will likely exceed what the ransom demand was.

What Enterprises Should Change

The defense model for data-only extortion is different from traditional ransomware. Endpoint detection and response (EDR) tools focused on catching encryption behavior miss the threat entirely if the attacker never deploys a payload. The priority shifts to three areas.

First, data loss prevention (DLP) and network detection and response (NDR) become critical. Organizations need visibility into abnormal data movement, especially large transfers to external destinations, unusual cloud storage activity, and bulk access to sensitive repositories.

Second, data classification and segmentation matter more than ever. If an attacker compromises a marketing team member's credentials, they should not have access to customer PII stored in a different business unit's database. Most organizations have not implemented the access controls that would limit blast radius in a data theft scenario.

Third, incident response plans need updating. Many enterprise IR playbooks are built around encryption events: isolate, assess, restore from backup. A data theft with no encryption requires a different decision tree. Legal counsel, communications, and regulatory compliance teams need to be integrated from the first hour, not after a system recovery is underway.

The Bigger Pattern

The 2025-2026 ransomware landscape shows a fragmented ecosystem where more groups operate with lower technical overhead and higher financial sophistication. Recorded Future projects that 2026 will be the first year where new ransomware actors operating outside Russia outnumber those within it. Attack volumes are up 47 percent over two years, while average ransom payments are actually declining because more organizations refuse to pay.

The economics are pushing attackers toward efficiency. Data-only extortion is faster to execute, harder to detect, and creates legal pressure that encryption alone does not. Enterprise security teams that are still optimized for the encryption-and-recovery playbook are defending against last year's threat.