Skip to content

You thought you knew how ransomware worked. Now, it’s all changing.

Most of us are familiar with the basic outline of ransomware. Attackers — who are increasingly part of a ransomware gang, working for a motivated nation-state, or purchasing ransomware through a RaaS subscription — gain unauthorized access to a system. They then encrypt vital data and withhold the decryption key until the organization pays the requested ransom.

In the past, this was the modus operandi for the majority of ransomware attacks. But recently, security experts have flagged an increase in new variants of ransomware that don’t bother to encrypt data at all. Below, we’ll explain how encryption-less ransomware works — and how it can be mitigated.

What is encryption-less ransomware?

Also known as “extortion-only ransomware,” encryption-less ransomware works by skipping the process of encryption altogether. Instead, attackers gain unauthorized access to a company’s systems, exfiltrate sensitive data, and threaten to publish that data unless the company pays the ransom. The goal is to extort victims — typically by threatening to sell or release information on the dark web — while still allowing access to critical systems and business operations to continue.

A spring 2023 analysis from Zscaler noted encryption-less ransomware techniques as one of the most noteworthy trends within the broader 40% increase in ransomware attacks over the last year. Within that year, at least 25 new ransomware families using double extortion or encryption-less techniques have emerged.

Why is encryption-less ransomware on the rise?

The digital landscape today is complex, and the cybercriminal ecosystem is no exception. The rise of encryption-less ransomware is similarly complex and can’t be attributed to a single cause. But we’ll explain a few of the contributing factors that have led to the recent uptick in encryption-less ransomware attacks.

Encryption-less ransomware is responding to new security tools

By some accounts, encryption-less attacks are the natural evolution of ransomware. In the face of newer, better decryption tools, encryption-based ransomware no longer packs the same punch. Instead, attackers are having to evolve their tactics to outrun the development of new ransomware mitigation tools.

For instance, analysis of the prolific hacking group BianLian shows that it’s moved away from double extortion methods, which employ traditional encryption techniques, as a response to the release of Avast’s publicly available decryptors.

Additionally, the emergence of better backup solutions means that companies can more easily restore files they’re locked out of. These backup technologies, many of which are cloud-based, allow businesses to create secure copies of their valuable data at regular intervals and simplify recovery from traditional encryption-based ransomware. As a result, attackers are relying more and more on data exfiltration for leverage over companies that no longer need to pay for a decryption key.

Encryption-less ransomware is more difficult to detect

Traditional ransomware thrives by disruption. The whole purpose of encryption-based ransomware is to lock an organization out of its critical systems and disturb its operations enough to demand a payment.

Encryption-less ransomware, on the other hand, is more subtle and difficult to detect. Since it does not rely on disrupting business operations, an organization may not realize it’s been attacked until it receives the ransom demand.

While this lower profile can help companies avoid the public consequences of a data breach (e.g. reputational damage), it also means that victims are less likely to report an attack to the authorities. This in turn makes it more difficult for cybersecurity agencies to detect and stop ransomware variants from spreading.

Encryption-less ransomware is effective

We know that most companies are extremely eager to avoid the regulatory fines, reputational damage, and loss of revenue from a data breach. Given the choice between paying a ransom and having their sensitive data published or sold on the internet, many companies will go along with an attacker’s demands. We’ve already seen the success of this encryption-less extortion technique spread from the original ransomware groups like Babuk to new families like Donut, RansomHouse, and BianLian.

We can also see plenty of examples of the tactic already in effect. In December 2023, for example, a hacker posted data for sale that was allegedly stolen from Swedish vehicle manufacturer Volvo Cars. Although the seller’s claims were disputed, the Volvo data was alleged to include information on existing and future vehicle models, development systems, and employee information.

Encryption-less ransomware is easier for attackers

Finally, encryption-less ransomware is becoming more common simply because it’s easier for attackers. Cybercriminals no longer have to go through the laborious and time-consuming process of encrypting critical information, which requires substantial technical skill and software engineering expertise, or pay a subscription fee for ransomware as a service.

Instead, attackers can achieve the same overall results by simply exfiltrating the data they need. As the 2023 Zscaler report explained, the tactic “results in faster and larger profits for ransomware gangs by eliminating software development cycles and decryption support.”

What can companies do about encryption-less ransomware?

The main threat of encryption-less ransomware lies in the possibility that an organization’s sensitive data will be sold or publicly exposed. The solution is to strengthen data privacy and security measures across the business, preventing unauthorized access to all sensitive data.

Conduct regular security audits. As ever, the first step in tackling a cyberthreat is understanding your company’s assets, systems, and vulnerabilities. To stay safe against both traditional encryption-based ransomware and encryption-less variants, organizations will need to conduct systematic evaluations of their information systems, policies, and procedures. Those evaluations can be conducted via internal audits, external audits performed by third-party experts, and even automated assessments using specialized software, but they must happen regularly to keep systems updated and secure.

Implement stringent access controls. The Cybersecurity and Infrastructure Security Agency recommends a number of measures to restrict access to sensitive data and essential systems. Companies should implement phishing-resistant MFA, including password-less MFA that incorporates verification features like device pins or biometrics. Companies should also implement identity and access management (IAM) systems that can monitor and manage roles and access privileges. They may even consider subscribing to credential monitoring services that monitor the dark web for compromised credentials. 

Employ state-of-the-art tools. A number of technologies, both ransomware-specific and otherwise, exist to prevent access to sensitive data. Businesses may employ a combination of intrusion detection systems, real-time monitoring tools, endpoint protection software, disaster recovery solutions, and ML-/AI-assisted behavior analysis to protect their data.

Mitigate encryption-less ransomware with ShardSecure. Lastly, organizations may consider using the ShardSecure platform for advanced data privacy and security. Our technology mitigates extortion-based ransomware attacks by rendering data unintelligible to unauthorized users. If an attacker manages to directly access an organization’s storage locations, that data remains illegible and unexploitable. The ShardSecure platform also offers data integrity checks, high availability, and self-healing features to mitigate the impact of traditional encryption-based ransomware attacks.

To learn more about ShardSecure’s benefits for mitigating ransomware and securing data, take a look at our white paper or visit our website.


Encryption-Less Ransomware: Warning Issued Over Emerging Attack Method for Threat Actors | ITPro

Decrypted: BianLian Ransomware | Avast Threat Labs

Cost of a Data Breach 2023 | IBM

Zscaler Sees Sharp Increase in Ransomware Attacks with Encryptionless Extortion and RaaS | SDxCentral

Hacker Selling Data Allegedly Stolen From Volvo Cars Following Ransomware Attack | SecurityWeek

Cyber Resource Hub | CISA

#StopRansomware Guide | CISA