Security researchers have issued a warning over the growing threat of encryption-less ransomware amid a period of evolving threats by sophisticated hacker groups.
Analysis from Zscaler revealed there has been a 40% increase in ransomware attacks over the last year and identified encryption-less ransomware techniques as “one of the most noteworthy trends” now observed among threat actors.
Across the year, 25 new ransomware families were identified using either double extortion or encryption-less techniques, highlighting the growing popularity of this method among cyber criminals.
“In 2021, ThreatLabz observed 19 ransomware families that adopted double or multi-extortion approaches to their cyber attacks. This has since grown to 44 ransomware families observed,” the firm said.
Encryption-less ransomware attacks originally began with groups like Babuk and SnapMC, Zscaler’s study said. However, researchers have observed a host of new groups adopting this method, including RansomHouse, BianLian, and Karakurt.
What is encryption-less ransomware?
Encryption-less ransomware attacks differ in technique from traditional methods, whereby threat actors compromise an organization, encrypt data, and demand a ransom for its recovery on the threat of publicly releasing stolen data.
This technique, also known as ‘extortion-only’ attacks, essentially skips over the process of encryption, Zscaler said, while still maintaining the tactic of threatening to leak victims’ data online if they don’t pay.
RELATED RESOURCE
In doing this, threat actors are able to skip a laborious part of the attack process - encryption - while still achieving the same overall results and often generating larger profits from an attack.
Developing effective encryptor payloads also requires a level of software engineering expertise that may dissuade cyber criminals from considering ransomware operations.
“This tactic results in faster and larger profits for ransomware gangs by eliminating software development cycles and decryption support,” Zscaler said.
Among the most prolific groups currently employing this attack method is BianLian, according to research from LogPoint.
Analysis of the hacker group’s operations in recent months shows that it has pivoted away from double extortion methods due to the emergence of publicly available decryptor tools, such as those released by Avast.
“Upon the public release of a decryptor from Avast in January 2023, the group resorted to an intensified extortion-only modus operandi, with no system encryption,” the security firm said.
Other groups known to have employed an extortion-only model in recent years include LAPSUS$ and the infamous Cl0p ransomware outfit.
During the GoAnywhere breach, Cl0p deviated from its traditional double extortion tactic and opted for a pure extortion attack.
It was also observed employing the pure extortion method during the MOVEit breach earlier this month which is believed to have affected numerous other organizations in what is the second major supply chain attack of the year.
Hackers ‘flying under the radar’ with encryption-less ransomware
Deepen Desai, global CISO and head of security research at Zscaler, said the growing trend of encryption-less ransomware techniques is enabling threat actors to operate unseen and often with impunity.
“Ransomware authors are increasingly staying under the radar by launching encryption-less attacks which involve large volumes of data exfiltration,” he said.
Although victims are still severely impacted by these attacks and incur significant financial burdens, the technique is often harder to detect and receives less attention from authorities because they do not lock files and systems.
Similarly, this method results in less downtime for affected organizations faced with a lengthy recovery process.
This lesser rate of disruption means that victims are less likely to report incidents, Zscaler warned.
“Encryption-less extortion attacks tend to not disrupt their victims’ business operations - which subsequently results in lower reporting rates.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
