Digital extortion is undergoing a significant transformation. While ransomware remains one of the preferred tools used by cybercriminals, campaigns focused on information theft and the threat of making it public are gaining increasing prominence. This strategy aims to exploit the economic, reputational, and regulatory consequences that a data breach can cause to affected organizations.
This trend is reflected in a recent study conducted by Unit 42, the threat intelligence division of Palo Alto Networks, which warns of a notable shift in the global cybersecurity landscape. According to the 2026 Global Incident Response Report, the percentage of extortion incidents involving system encryption decreased to 78% in 2025, a figure lower than the over 90% levels consistently recorded in the previous four years.
Among the groups analyzed by Unit 42 that have evolved from traditional ransomware attacks towards models primarily based on data theft and extortion are Bling Libra, also known as ShinyHunters, which specializes in SaaS environments, and Hazy Scorpius, also identified as CLOP, which exploited a vulnerability found in Oracle EBS.
The report also highlights the growing role of artificial intelligence in such threats. This technology is enabling attackers to identify vulnerabilities faster, automate parts of their campaigns, and accelerate the data extraction process, increasing both the speed and scale of digital extortion operations.
Analyzing this sharp decline in the use of encryption, Palo Alto Networks’ threat intelligence unit has identified four main factors driving this change:
- Improved backup and recovery capabilities, allowing for routine and efficient system restoration.
- Greater maturity of endpoint protection solutions and the effectiveness of automated attack disruption mechanisms.
- Faster data exfiltration speed: According to Unit 42 data, attackers can go from initial access to full data theft in just 72 minutes.
- Increased regulatory pressure: Penalties for non-compliance, class-action lawsuits, and systemic reputational damage now act as more powerful leverage for attackers than operational disruption itself.
By sector, in 2025, campaigns focused exclusively on data exfiltration mainly targeted professional services, healthcare, and consumer services, with a particular focus on midsize organizations, which accounted for 64% of victims.
Although manufacturing remains the most affected sector overall, the construction sector saw a 44% year-over-year increase as a target for extortion operations based solely on data theft. These companies are particularly attractive to attackers due to the high value of their financial plans, bidding information, and other sensitive data.
The average cost associated with data theft-based extortion incidents now reaches $5.08 million (€4.4 million), which can exceed $10 million (€8.6 million) in large-scale breach cases.
Strengthening Data Protection as a Strategic Priority
In response to this evolving threat landscape, Palo Alto Networks experts recommend that organizations bolster their prevention and detection capabilities for data breaches, review access controls for SaaS applications, adopt phishing-resistant authentication mechanisms, and accelerate incident response processes.
The convergence of digital extortion, regulatory pressure, and artificial intelligence will shape the future of cybercrime in the coming months, forcing organizations to rethink their protection strategies beyond the traditional ransomware model.
