Even ransomware actors tire of complicated encryption

Encryption is complicated, even for adversaries looking for the easiest way to ruin a CIO’s day.

Researchers are seeing ransomware actors abandon encryption for a method requiring less expertise: exfiltration-only.

Exfil ’er up! Exfil-only tactics include stealing a company’s sensitive data, posting victims’ names to a leak site, and threatening release of the information.

This method differs from encryption-based ransomware, in which attackers encrypt a target’s data, then demand money to unlock it.

A new report from insurer and security-platform provider At-Bay Security tracked a 450% increase in exfil-only offensives from Q3 to Q4 2025 (At-Bay declined to provide specific totals).

By eliminating encryption from their operational model, At-Bay said, threat groups no longer require sophisticated technical elements like a data locker and decrypter. This allows rookies to easily join the adversarial fold.

“We’re seeing more threat actors get into this kind of business, and there’s a much lower bar to entry to conducting these exfil-only attacks than there is to working with an established group that has a locker, or going through the process of actually building a locker yourselves,” Laurie Iacono, director of threat intelligence at At-Bay, told us.

PEAR up! In June 2025, At-Bay discovered an exfil-only crew that hit at least 51 victims, targeting healthcare, manufacturing, and business-service orgs. This PEAR (“pure extraction and ransom”) group has separated itself from other rotten apples by harassing victims via text messages and threatening a staged release of terabytes of stolen data, according to At-Bay.

What’s driving exfil-only tactics? At-Bay revealed three reasons:

• No expertise needed. While some ransomware lockers are available in underground corners of the internet, a custom locker requires developer know-how.
• No technical failure. Even adversaries seek a level of reliability and don’t want to deal with a broken decryptor.
• No network “noise.” Encryption potentially triggers endpoint-detection technologies. (To stay quiet, attackers are also frequently using valid credentials and legitimate admin tools, At-Bay noted.)

BlackFog’s founder and CEO Darren Williams said encryption is being used sparingly these days and “about 96%” of his cybersecurity company’s recorded attacks since 2020 involve data exfiltration—a trend leading to double and triple extortions.

“Even if you do pay the attackers, how do you know they haven’t actually kept it, even though they haven’t disclosed it?” Williams told IT Brew, highlighting a major challenge when addressing non-encryption attacks.

Comparitech recorded 7,419 ransomware global attacks in 2025, an increase of almost a third (32%) from the previous year’s numbers.

The ease of exfiltration over encryption has complicated ransomware response, given the higher number of individual actors to track.

“When we’re dealing with these lone-wolf or unknown actors, we don’t have a history with them, to help inform our clients of whether or not they are going to keep their word,” Iacono said.

At-Bay’s report also called for a rethinking of defensive strategies:

• Shift from malware detection to anomalous-activity detection. Iacono recommends capabilities including managed detection and response tools (which build user baselines proactively) as well as data leak prevention products (which spot assets leaving a network).
• Given the frequently legitimate credentials used in attacks, orgs must not just monitor legacy VPNs but keep “robust logging” on account activity, particularly remote access.
• Move beyond “backup.” Organizations must plan for scenarios where confidentiality, not data integrity, is compromised, which requires preparation for breach notification, regulatory response, and reputation management rather than technical recovery.

“Criminals are not known for their hard work ethic. They’re known to look for the lowest common denominator and the least amount of work they can do to extort you for money,” Williams said.