The rise of extortion-first ransomware, where criminals focus on stealing data and threatening to leak it rather than locking systems, has been prominent recently, with money as the biggest motivator. As cryptocurrency values surged and Bitcoin prices became more volatile, cybercriminals found new ways to profit from extortion schemes like DDoS-for-ransom and data-leak threats.
Many reinvest those profits into larger, more professional operations. High-profile incidents show how even well-resourced companies are not immune. In one such case reported by BleepingComputer, Dell acknowledged the nature of a recent breach, stating, “A threat actor recently gained access to our Solution Center, an environment designed to demonstrate our products and test proofs-of-concept for Dell's commercial customer.”
According to one study ‘A deeper look into cybersecurity issues in the wake of Covid-19: A survey’, “three or four different cyber-attacks were reported on certain days” as criminals exploited organizational strain and reduced defenses. At the same time, traditional encryption-based ransomware has become less attractive. Encrypting systems is noisy and easier to detect, and once a victim restores from backups, the attackers lose leverage. Stealing data, on the other hand, gives criminals a long-term pressure point. They can threaten to leak sensitive information, shame companies publicly, or harass executives, often without triggering the same immediate alarms that encryption does.
Instead of focusing on locking victims out of their systems, attackers now concentrate on quietly stealing sensitive data and threatening to expose it unless a ransom is paid. This approach marks a clear break from earlier ransomware strains like the 1989 PC Cyborg Trojan or CryptoLocker. Today’s extortion-first campaigns work differently as attackers slip in unnoticed, exfiltrate valuable information and then apply pressure through the threat of public leaks, often using dedicated leak sites and demanding payment in cryptocurrency.
As one major Computer Security academic study on ransomware during the pandemic explains, “The COVID-19 pandemic has witnessed a huge surge in the number of ransomware attacks. Different institutions such as healthcare, financial, and government have been targeted.” The same research shows how changing work patterns contributed to this shift, noting that “It appears working remotely in home-based environments (which is less secure compared to traditional institutional networks) could be one of the reasons” attackers found it easier to breach organizations and steal sensitive data at scale.
Researchers describe this evolution as a move toward ‘fear-based’ cybercrime. Rather than creating immediate disruption, these attacks aim to cause reputational damage, legal exposure, and personal embarrassment.
Modern extortion groups combine data theft with tactics like DDoS attacks or doxing to increase pressure, while using advanced techniques such as polymorphic malware and legitimate system tools to stay under the radar. By avoiding the loud signals that encryption creates, attackers can operate longer and more quietly.
From a criminal’s perspective, this model is also less risky. Deploying ransomware that encrypts files often triggers security alerts, and strong backup systems can limit the damage. Data theft, by contrast, is harder to detect and gives attackers lasting leverage, even after the initial breach. More commonly applied ransomware relied on victims’ willingness to pay, with mixed success rates and frequent failures to restore data. Extortion-first tactics take advantage of a different imbalance: organizations in high-stakes sectors like healthcare or finance often feel they have no choice but to respond when sensitive information is at risk of being exposed.
Ransomware has grown in volume and in variety. One of the main reasons is the increase of ransomware-as-a-service, which has increased the accessibility of cybercrime. Even attackers with limited technical skills can launch large-scale campaigns using ready-made tools and rented infrastructure.
The paper ‘Emerging Trends in Cybersecurity’ explains, “The escalating sophistication of cyber threats necessitates a critical examination of the efficacy of contemporary defenses,” especially as traditional security models struggle to keep pace. It goes on to express, “the severity and quantity of cybersecurity threats have significantly increased in recent years, leading to substantial financial losses and harm to the reputation of many businesses.”
This became notable during the pandemic. COVID-19 disruptions created the perfect storm: remote work expanded attack surfaces, economic pressure pushed more people toward cybercrime, and overburdened sectors like healthcare became easy targets.
Rather than relying on loud, disruptive file encryption, many now focus on quietly stealing data and using it as leverage. Data theft is harder to detect, allows criminals to pressure victims over a longer period, and even makes it possible to target the same organization more than once.
Economic researchers have observed about ransomware’s evolution in ‘An economic analysis of ransomware and its welfare consequences’, “we would expect the criminals are refining their techniques, not only in terms of the malware component technology, but also regarding the economic tools they use to extract money from victims.”
Over the past decade, these tactics have changed into multi-layered extortion schemes that combine data leaks with threats like DDoS attacks. It warns that “future attacks will probably evolve, slowly but surely, toward an optimal economic strategy,” especially as criminals learn to exploit victims’ willingness to pay and the long-term value of stolen information. It has been especially effective in healthcare, where stolen patient information carries long-term value and chronic staffing shortages often leave systems unpatched.
The Clop ransomware campaign tied to the MOVEit Transfer breach in 2023–2024 stands as one of the most defining examples of extortion-first attacks. Victims included major organizations such as the BBC, British Airways, Shell, multiple US government agencies, and hundreds of universities and private companies worldwide.
Rather than deploying traditional ransomware, the Clop group exploited a zero-day vulnerability in MOVEit to quietly steal massive volumes of sensitive data. They then launched a coordinated extortion campaign through their leak site, threatening to publish stolen files unless ransoms were paid.
Attackers gained initial access through social engineering, exploiting human trust rather than software flaws, and were able to move through MGM’s internal systems before exfiltrating sensitive corporate and customer data.
Although parts of MGM’s operations were temporarily disrupted, the real leverage came from the stolen information and the threat of public exposure. This tactic placed the company in a difficult position, facing downtime.
Ransomware is a type of malicious software that extorts victims by blocking access to systems or stealing data and demanding payment for restoration or non-disclosure.
Most ransomware infections start through phishing emails, malicious attachments, compromised websites, or stolen login credentials.
RaaS allows cybercriminals to rent ransomware tools from developers, lowering the technical barrier to launching attacks.
Double extortion combines data theft with system encryption to increase pressure on victims to pay.