
Ransomware Without Encryption: When Attackers Just Steal and Threaten
The classic image of a ransomware attack is a screen full of locked files and a countdown demanding payment for the key. That picture is going out of date. A growing number of groups have dropped the encryption entirely. They break in, quietly steal your most sensitive data, and then simply threaten to publish it unless you pay. It is ransomware without the ransomware, and it changes what defence has to look like.
The shift is driven by cold efficiency: stealing data is faster, quieter and harder to recover from than encrypting it.
What it comes down to: many attackers no longer bother to encrypt anything. They gain access the usual way, copy out sensitive files, and demand payment under threat of leaking them. Because nothing is locked, your backups cannot save you, and a good recovery plan cannot un-leak stolen data. That makes preventing the theft, and spotting it fast, more important than ever.
Why encryption is being left behind

Encrypting a large environment is noisy and slow. It takes time, it is likely to trip alarms, and it hands the victim a clean way out if their backups are good. Pure data theft avoids all of that. It is quieter, quicker, and leaves the victim with far less leverage: you can restore encrypted systems from backup, but you cannot restore your way out of a leak. The reputational, regulatory and legal consequences of exposed customer or employee data give the attacker a threat that a backup simply does not answer. Many groups also found that data-theft extortion is easier to run and just as profitable, so the business model shifted with it.
Why backups are no longer enough
Backups remain essential; they are what let you recover from encryption, hardware failure or a wiper. But against pure extortion they miss the point. The damage is not that you have lost access to your data, it is that someone else now has a copy of it. No restore undoes that. Defence has to move upstream, to stopping the intrusion and the exfiltration, rather than relying on recovery after the fact.
How to defend against data extortion
Stop the intrusion at the front door
The way in is unchanged: a phished credential, a reused password, or an unpatched internet-facing system. Multi-factor authentication, prompt patching and disabling legacy access remain the highest-value controls, because preventing the foothold prevents the theft.
Limit what any account can reach
Apply least privilege and segment your data so a single compromised account cannot sweep up everything. The less any one identity can access, the less an attacker can carry away.
Watch for data leaving
Because the crucial event is exfiltration, invest in spotting it: alerts on large or unusual outbound transfers, access to sensitive stores out of pattern, and use of unfamiliar tools or cloud destinations. Catching the theft in progress is your best chance to limit it.
Protect the human entry point
Since phishing starts most of these attacks, keep training sharp with realistic phishing simulations, and make it easy to report a suspicious email before anyone clicks.
The bottom line
Ransomware has evolved from locking your data to stealing it, and that quietly rewrites the defensive priorities. When the threat is a leak rather than an outage, backups still matter but no longer suffice on their own. The emphasis moves to prevention and early detection: keep attackers out with MFA and patching, limit what any account can reach, and watch closely for data slipping out the door. You cannot restore your way out of a leak, so the goal is to make sure the data never leaves in the first place.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
