The classic ransomware operator does two things: steals data and encrypts the network. In 2026, a growing share of operators are doing only the first. Cl0p has been the most visible example, multiple major campaigns where no encryption was deployed at all, just data theft and an extortion demand. The model is winning, and the reasons are structural.
Why drop the encryption?
Encryption introduces operational risk for the operator. The encryptor binary itself is reverse-engineered the moment it lands in any major IR firm’s lab. Researchers occasionally find decryption flaws and release free decryptors. The encryption process is loud, EDR tools scream, and increases the chance of detection mid-attack.
Skipping encryption removes all of that. No binary to reverse-engineer, no decryptor risk, no loud encryption phase. The attacker exfiltrates quietly, leaves cleanly, and starts the extortion conversation from outside the victim’s network. The operational risk profile is meaningfully better.
Why the threat still works
Encryption used to be the leverage. In 2026, it isn’t, most well-run organisations have backups they trust and can rebuild from. The leverage that actually moves the needle in negotiations is the data-leak threat: regulatory exposure, customer trust damage, internal-communications embarrassment, intellectual property loss.
If the leverage was always the data, why bother with the encryption at all? That logic finally landed with operators in 2024, and the trend has accelerated since.
The detection challenge
Pure-extortion attacks are harder to detect than encrypting attacks because the loud phase is missing. The attacker enters quietly via a stealer-log credential or VPN exploit, moves laterally with stolen credentials, exfiltrates to a cloud-storage destination over a few days, and leaves. No mass file-modification event. No ransom note on the desktops. The first indication of the breach is often the operator’s outreach, sometimes weeks after the actual exfiltration.
Detection has to shift. Egress monitoring matters more. Anomalous data-volume movement to cloud-storage destinations matters more. Identity-side telemetry, impossible-travel logins, anomalous service-account usage, matters more. EDR-only detection doesn’t catch the pure-extortion model reliably.
The defensive priority shift
For organisations whose ransomware preparation has focused on backup-and-restore, the pure-extortion shift makes the existing playbook insufficient. Backups don’t help when the threat is “we’ll publish your customer database.” The new control set has to include data classification (knowing what would actually hurt to leak), DLP at the egress (catching exfiltration in progress), and a reduced data footprint (fewer crown jewels means less leverage for the operator).
Who’s running this model
Cl0p remains the highest-profile example, particularly in the wave of MOVEit-style exploitations. Several of the mid-tier operators (BianLian, Karakurt) run primarily extortion-only operations. RansomHub and others run a hybrid where encryption is optional based on the affiliate’s preference and the target’s profile.
Expect the share of pure-extortion incidents to keep growing through 2026. The defender adjustment is straightforward in concept and slow in practice: the data is the prize, the data is what to protect, and the controls that protect data are different from the controls that protect uptime. Both matter. The latter has had more attention. The former needs more.