Encryptionless Extortion: Why Ransomware Stopped Encrypting and Started Leaking

A defining 2026 trend: ransomware crews increasingly skip the encryption step entirely. They steal the data and threaten to leak it. Encryptionless extortion is faster, quieter, and sidesteps the one control most companies trusted — backups.

Why crews dropped the crypto

• Backups make encryption pointless. If a victim can restore, the encryption leverage evaporates — but a data leak cannot be “restored” away.
• Encryption is loud. Mass file writes trip behavioural detection; quiet exfiltration of a few archives often does not.
• No decryptor support burden. Pure-extortion crews skip the messy business of providing working decryption.

Cl0p’s MOVEit campaign and groups like BianLian normalised the model: breach, exfiltrate, extort — no encryption required.

The uncomfortable implication

Your incident-response plan probably assumes “restore from backup and move on.” Against pure extortion, restoration does nothing — the data is already gone, and under India’s DPDP Act a personal-data leak is a reportable breach with penalties up to ₹250 crore.

Defences that actually fit this threat

1. Egress monitoring. The choke point is exfiltration — alert on large or unusual outbound transfers, rare destinations, and cloud-storage uploads from servers.
2. Data minimisation & DLP. You cannot leak what you do not store; classify and tokenise sensitive data, and block it from leaving to unapproved endpoints.
3. Segment and watch the crown jewels. Most exfil traces back to one over-permissioned file share or database.
4. Practise a leak scenario in your tabletop — including the DPDP 72-hour and CERT-In 6-hour notification clocks.

RingSafe helps Indian teams build detection and an integrated breach playbook for exactly this. Talk to us.