Your backups are clean. Your recovery point objective is met. You could be back online in four hours.
It doesn’t matter. The attackers already left with 200 GB of customer data — and they’re not asking you to pay to decrypt anything. They’re asking you to pay to keep quiet.
TL;DR
- Data-only extortion attacks surged 11× in one year — 22% of incidents now involve no encryption at all
- 28 new or rebranded ransomware groups appeared between January and May 2026
- The fastest-growing attack pattern: steal data, skip encryption, threaten exposure
- Cloud misconfigurations and unrotated API keys are replacing phishing as the entry point
- Backups don’t protect against extortion — the threat model has fundamentally changed
Why This Matters to You
If your incident response plan assumes the attacker’s goal is to encrypt your systems, you’re defending against last decade’s threat. The attack surface has shifted from endpoints to cloud credentials, from file systems to SaaS data, and from disruption to silent exfiltration.
Backup strategy alone is no longer a ransomware defense. It’s a recovery option — and only for one half of the problem.
The Numbers: 2026 So Far
Check Point Research counted 2,122 victims posted on ransomware data leak sites in Q1 2026 — the second-highest first quarter on record. The top 10 groups claimed 71% of those victims, the highest concentration since early 2024.
The established players still dominate by raw volume:
| Group | Victims (2026) | Notes |
|---|---|---|
| Qilin | 540 | Most active group three quarters running |
| The Gentlemen | 337 | Exploits ~14,700 pre-compromised FortiGate devices |
| Akira | 253 | Consistent high-disruption targeting |
| IncRansom | 204 | Targeted 16 law firms in a single Q1 campaign |
| DragonForce | 181 | RaaS; uses BYOVD to disable security tools |
| NightSpire | 158 | Exploits FortiOS CVE-2024-55591; recently launched RaaS program |
| LockBit 5.0 | 141 | Rebounded post-2024 law enforcement action |
| Play | 137 | 85% of victims US-based |
| Cl0p | 129 | Supply-chain attacks via enterprise software (Oracle EBS) |
| CoinbaseCartel | 109 | No encryption — pure data exfiltration |
These numbers tell one story. There’s another one underneath: 28 new or rebranded groups appeared in the same five-month window. None of them come close to the top 10 by victim count. But several are doing something the established groups largely haven’t — skipping encryption entirely. That’s the shift worth watching.
The Shift: Extortion Without Encryption
Data-only extortion attacks surged elevenfold over the past year. In 2024, only 2% of ransomware incidents involved exfiltration without encryption. By late 2025, that number had reached 22%. The trend is accelerating into 2026 — and it’s already visible in the top 10: CoinbaseCartel operates without an encryptor at all.
Why attackers are dropping the encryptor
Encryption is operationally expensive. It requires deploying a payload onto target systems, which means runtime execution that EDR (Endpoint Detection and Response) tools can detect. It leaves forensic artifacts. It triggers backup recovery plans that reduce leverage.
Exfiltration-only attacks are quieter. An attacker who moves 100 GB out over three weeks through normal HTTPS traffic may never trigger a single alert. When they finally make contact, the victim can’t “just restore from backup” — the data is already gone.
The pressure is the same either way. Stolen data triggers GDPR fines, breach notification obligations, customer lawsuits, and reputational damage — whether or not a single file was ever encrypted.
Two attack patterns driving the trend
The first pattern targets healthcare and other high-sensitivity sectors. The approach is credential-first: obtain access through infostealer-harvested logins, move laterally using legitimate admin tools, exfiltrate patient records, tax documents, and personnel files. There is no encryption, no decryption key to negotiate, and no system to restore. The only lever is the threat of exposure — which is especially effective against organizations with strict data protection obligations.
The second pattern is cloud-native. Rather than compromising endpoints at all, these attackers target unrotated API keys and misconfigured cloud permissions — credentials that are often sitting in public repositories or leaked configuration files. The attack flow is straightforward: find a valid key, authenticate to cloud storage or a database, exfiltrate, then make contact. No malware. No lateral movement. No encryption. The entire operation can complete in hours, and traditional network monitoring won’t flag it because the access looks legitimate — it’s using real credentials through normal HTTPS channels.
Both patterns share the same core logic: the data is the weapon, not the encryptor.
The Babuk Legacy
Not every new group has abandoned encryption. A significant portion of the 2026 newcomers are built on Babuk ransomware source code, which leaked in September 2021 when a disgruntled group member published it publicly. Researchers have since identified at least ten distinct ransomware families derived from that leak.
Babuk was cross-platform (Windows and ESXi/Linux), and its encryption was solid enough to prevent easy decryption without paying. When the source code became public, the barrier to entry collapsed. Any threat actor with basic development skills could compile a working ransomware payload without building anything from scratch.
The 2026 variants don’t just copy Babuk — they improve on it. Common modifications include replacing the original HC-128 cipher with ChaCha20, adding anti-forensic capabilities, and repackaging under a RaaS (Ransomware-as-a-Service) model where the tooling is licensed to affiliates who run the actual intrusions.
The Babuk leak created a floor that still hasn’t eroded. The result is a steady stream of encryption-capable groups that require minimal technical investment to stand up — which is part of why 28 new or rebranded groups can appear in five months without any single one being particularly sophisticated.
Cloud Is the New Perimeter
The cloud-native attack pattern described above isn’t an edge case — it reflects a structural shift in how organizations store and expose data.
The attack surface has expanded dramatically as workloads moved to cloud providers. Storage buckets, database credentials, API gateways, and SaaS OAuth tokens can all be exposed through a single misconfiguration or an unrotated secret. Scanning for these exposures is cheap and scalable. A single valid API key to a cloud storage bucket can yield terabytes of data without touching a single endpoint.
This matters for defenders because the detection logic is different. There’s no malicious binary to flag. No anomalous process. No file extension change. The attacker looks like a legitimate service account doing legitimate things — until the exfiltration volume becomes impossible to ignore.
What You Can Do Today
The threat model has changed on two fronts simultaneously: the goal has shifted from disruption to exfiltration, and the entry point has shifted from endpoints to cloud credentials. Defenses need to address both.
Against extortion-only attacks:
- Implement DLP (Data Loss Prevention) monitoring on outbound traffic — large transfers to unusual destinations should alert
- Classify your most sensitive data and apply stricter egress controls
- Assume breach: know what data you hold, where it lives, and what your notification obligations are if it’s exposed
Against cloud-native attacks:
- Audit API keys and service account credentials — rotate anything older than 90 days
- Enable cloud provider security tooling (AWS GuardDuty, Azure Defender, GCP Security Command Center) and review the alerts
- Scan public repositories for accidentally committed credentials — tools like TruffleHog and GitLeaks automate this
- Apply least privilege aggressively to IAM roles, cloud storage, and database access
For incident response planning:
- Update your IR playbooks to cover exfiltration-only scenarios — the decision tree is different from encryption
- Know your breach notification deadlines before an incident happens, not during one
- Have legal and communications plans ready — extortion without encryption is still extortion, and regulators treat it the same way
Related Posts
- Ransomware Backup Strategy: Why 93% Who Pay Still Lose Data — Why paying doesn’t solve the problem, and why backups alone aren’t enough anymore
- $10 Million Ransom, Four Days of Peace, and Then the Login Page Changed — The double-extortion model in practice: pay the ransom, get attacked again
Sources
- The State of Ransomware – Q1 2026 — Check Point Research
- Ransomware Without Encryption: Why Pure Exfiltration Attacks Are Surging — Morphisec
- Data-only extortion grows as ransomware gangs seek better profits — Cybersecurity Dive
- Mutation Effect of Babuk Code Leakage — SOCRadar
- Hypervisor Ransomware: Multiple Groups Hop on Leaked Babuk Code — SentinelOne
- Ransomware and Cyber Extortion in Q1 2026 — ReliaQuest
- A New Data Theft Gang for the Health Sector to Lose Sleep Over — BankInfoSecurity
- ransomware.live — New Groups 2026