Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Cybercrime

Ransomware ditched encryption in May 2026 — here’s why

Ransomnews Research TeamBy Ransomnews Research TeamMay 22, 2026No Comments14 Mins Read1,103 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Ransomware encryption-less extortion shift May 2026
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Published 17 May 2026, by the Ransomnews Research Team.

Ransomware in May 2026 looks structurally different from ransomware in May 2024. The headline incidents of the past two weeks, ShinyHunters compromising Instructure (Canvas LMS) and exposing data on roughly 275 million students and staff across 9,000 schools, the Nitrogen gang exfiltrating 11 million files and 8 TB from Foxconn’s North American operations, the Coinbase Cartel hitting Grafana, share a feature that would have surprised an analyst even eighteen months ago. None of them needed to encrypt anything to do real damage.

This isn’t a one-off pattern. It’s the surface of a structural shift. Kaspersky’s State of Ransomware 2026 reports that ransom payment rates have collapsed to 28%, barely a quarter of victims pay, and several of the most active operators have responded by dropping the encryption stage entirely. The new model is pure data extortion: steal it, threaten to publish it, monetise either through victim payment or, increasingly, direct resale on the data leak site. In May 2026 this isn’t an exotic experiment. It’s the default playbook.

What is encryption-less ransomware?

Encryption-less ransomware (also called pure data extortion or data-only ransomware) is a ransomware-style operation where the attacker exfiltrates sensitive data from a victim network and threatens to publish it, but never runs the encryption stage that defined classic ransomware. There is no ransom note on the desktop. No files with strange new extensions. No need for the victim’s backup posture to be relevant. The victim discovers the incident either because the attacker contacts them with proof, or because the victim’s data appears on a data leak site like ShinyHunters’, LockBit’s successor brands, or Nitrogen’s dedicated portal.

The shift is rational. Encryption is operationally expensive for the attacker, it leaves loud forensic artifacts, triggers EDR alerts on file-rewrite patterns, requires per-victim key management, and exposes the operator to law-enforcement decryption assistance. Extortion-only attacks are faster, quieter, and far harder for backup-and-restore strategies to neutralise. The data is already out the door before the victim notices.

The 2026 payment-rate collapse

// VICTIM PAYMENT RATE, TRAILING-YEAR AVERAGE Source: Coveware quarterly, Chainalysis crypto crime, Kaspersky State of Ransomware 2026 80% 60% 40% 20% 0% 2019 2020 2021 2022 2023 2024 2025 2026 76% 28% Payment rate has fallen every year for seven years. The behavioural response is now visible at scale.

The mechanics behind the decline are well-documented. Cyber-insurance carriers tightened payment policies starting 2022. Regulators in the US, UK, and EU increasingly disclose successful disruptions and recovered keys, lowering the perceived utility of paying. Defenders got materially better at offline backups and incident response. And the public discourse around payment shifted, boards that would have approved a ransom in 2020 now demand exhausted alternatives first.

The unintended consequence is what we’re watching unfold this month. When the encryption stage stops earning, operators abandon it. The pivot to extortion-only is the rational economic response to a buyer’s market for ransom payments.

The May 2026 case studies

ShinyHunters × Instructure (Canvas LMS)

ShinyHunters is the textbook example of the new model. They run no encryption locker, no per-victim key, no recovery negotiation. Their entire monetisation funnel is the data leak site itself: stolen data is staged, named victims are listed, and either the victim pays for removal or buyers from secondary markets (carding crews, identity-fraud operations, foreign-intelligence proxies) pay for the dump.

In May 2026 they listed Instructure, the company behind Canvas LMS, the dominant learning-management platform in US higher education and a substantial part of K-12, with 3.65 TB of data covering 275 million students, teachers, and staff across ~9,000 institutions. The dataset reportedly includes student records, assignment submissions, internal communications, and platform configuration data. Multiple sources describe this as Instructure’s third ShinyHunters incident in eight months, suggesting persistent access rather than a fresh intrusion each time.

The relevant defender takeaway isn’t about Canvas specifically, it’s about the model. There was no decryption negotiation to interrupt. Backups didn’t help. The incident response timeline ran from “we may have been breached” directly to “the data is on a public leak site.” Every step that classic ransomware playbooks address (containment, key recovery, restoration windows) was effectively skipped.

Nitrogen × Foxconn

The Nitrogen gang’s mid-May breach of Foxconn’s North American operations is the manufacturing-sector counterpart. 11 million files. ~8 TB of internal documentation, project blueprints, and technical drawings. Nitrogen does still occasionally run an encryption stage on some victims, but the Foxconn listing emphasises exfiltration evidence: directory trees, sample files, identifiable internal hostnames. The threat isn’t “we’ve locked your factory”, it’s “we’re about to publish your customer blueprints.”

For manufacturers in the Foxconn supply chain, Apple, Dell, Sony, Microsoft hardware partners, the second-order impact is the part that bites. A 10-million-file dump of Foxconn internal documentation is a multi-year IP exposure for every downstream brand that ever shipped a confidential reference design through that channel.

How encryption-less attacks actually unfold

// PURE-EXTORTION ATTACK CHAIN (median Q1 2026 cases) 1. INITIAL ACCESS IAB credential or vuln chain Median: 0–3 days 2. EDR KILL BYOVD: load signed vulnerable driver + disable monitoring 3. RECON Map crown jewels via LotL tooling Median: 2–7 days 4. EXFIL Cloud egress to rclone / mega.nz Median: 1–4 days 5. LIST Victim posted on leak site Public coercion // CLASSIC RANSOMWARE (LockBit-era 2020–2023): adds two more stages → 6. STAGING Deploy encryptor +1–2 days, loud 7. ENCRYPT Lock files org-wide High EDR signal → skipped in 2026 Cuts dwell time by 2–4 days, eliminates the loudest detection surface. // The encryption stage was where defenders had the best shot at detection. Removing it is rational for attackers.

EDR killers as standard tooling

The second technical fingerprint of 2026 ransomware operations is the routine deployment of EDR-killer utilities, purpose-built tools that disable endpoint detection-and-response agents before any other attacker activity. The most common implementation is the Bring Your Own Vulnerable Driver (BYOVD) technique: the attacker loads a legitimately signed but vulnerable Windows kernel driver, then exploits the driver to gain kernel-mode primitives and terminate EDR processes from underneath the user-mode space they monitor.

This isn’t new, researchers documented it as early as 2022, but the operational maturity has shifted. In Q1 2024, EDR-killer use was an indicator of an advanced operator. In Q1 2026, it’s table stakes; even mid-tier affiliates ship with one. Microsoft’s vulnerable-driver blocklist helps when properly enforced, but BYOVD operators rotate through new drivers as the blocklist expands. The cat-and-mouse dynamic now mirrors browser sandbox escapes: an ecosystem of researchers finding new candidates and operators packaging them within days.

The defensive response is layered: enforce Microsoft’s vulnerable driver blocklist on every endpoint, monitor for kernel-mode driver loads from non-standard paths, and treat any unsigned-or-rotation-flagged driver load as a high-severity event in your SIEM regardless of EDR alert state. Once the EDR is dead, every other signal needs to be carrying weight.

Why the data leak site is now the product

// MONETISATION SHIFT: WHO PAYS WHAT TO A LEAK SITE OPERATOR 2020 model Victim ransom payment 95% of revenue Secondary data sale 5% “Pay or we publish.” Encryption is the lever. → 2026 model Victim ransom payment ~28% Data resale to 3rd party growing fraction “We don’t need you to pay.” Buyers exist regardless. When the leak site itself is the product, the victim’s negotiation position weakens dramatically.

The most important strategic shift is the one with the least technical content. In the 2020 model, the data leak site was a coercion device: pay or we publish. In the 2026 model, the data leak site is the product. Operators have built downstream relationships with carders, identity-fraud rings, and (in some confirmed cases) sanctioned intelligence services that purchase exfiltrated datasets directly. Victim payment is no longer the only, or even the primary, revenue channel for some operators.

This rebuilds the victim’s negotiation position from the ground up. Even if you decline to pay, your data is monetised. Even if you destroy your local copies, you cannot destroy the buyer’s copies. The classical advice, “don’t pay”, remains correct for most victims most of the time, but the consolation that comes with it (your data stays out of public hands) is less reliable than it was.

The post-quantum experiment

Counter-trend worth noting: a small but visible cohort of ransomware families that do still encrypt have begun adopting post-quantum cryptography. The PE32 family, first reported in early 2026, wraps its per-victim AES keys with NIST’s ML-KEM standard, the post-quantum key-encapsulation algorithm finalised in 2024. The threat model isn’t current attackers using quantum computers (those don’t exist at the required scale yet). It’s a hedge against future law-enforcement decryption capability and against quantum-equipped state actors a decade from now.

For defenders, the practical implication is small in the near term, recovery via key seizure becomes harder, but recovery via backup remains the better strategy anyway. The cultural signal is the part that matters: even the criminal ecosystem is taking the post-quantum migration seriously enough to ship code in production. Enterprise security teams who are still treating PQ migration as a 2030 problem should treat that as a data point.

What defenders actually need to do differently

The 2026 ransomware reality demands a defensive posture that’s noticeably different from the 2022 playbook.

1. Exfiltration detection moves up the priority list. If the attacker never runs an encryption stage, you cannot rely on file-rewrite anomalies. Egress-volume baselining, cloud-storage destination allowlisting (rclone configurations to mega.nz, dropmefiles, and Telegram bots dominate Q1 2026 exfil pathways), and DLP-style content classification become the primary detection surface.

2. EDR is necessary but no longer sufficient. Endpoint logs need to be shipped off-host in near real time, with monitoring that triggers on the EDR going silent, not just on EDR alerts. Any host that stops checking in for >5 minutes is a possible BYOVD victim; treat the silence as the alert.

3. Initial-access broker exposure is the upstream problem. Encryption-less attacks still need a foothold. The IAB economy that supplies that foothold (see our 2026 IAB supply chain analysis) remains the most cost-effective place to disrupt attacks, for both defenders (by removing your exposure) and law enforcement (by removing the marketplace). Our Stealercheck tool covers the stealer-log side of this exposure for any domain.

4. Data-handling discipline matters more than backup discipline. If your security team’s ransomware tabletop still revolves around restoration timelines, it’s playing yesterday’s war. The exercises that matter in 2026 are: how fast can you identify what was taken? Can you produce a defensible disclosure within 72 hours (the EU GDPR window)? Do you have customer-notification machinery that runs without legal-and-PR bottlenecks? The new ransomware crisis isn’t about recovery, it’s about disclosure.

5. Monitor your name on the leak sites. Both Ransomtracker and the curated public trackers will surface your organisation on a leak site within hours of an operator listing it. The hours between listing and your IR team reading it are the hours when your communications and legal teams have time to respond instead of react. Subscribe to a normalised feed; don’t rely on someone tagging you on social media.

The bigger picture

It would be easy to read the encryption-less shift as good news. After all, encryption was the part of ransomware that did the most operational damage to victims, locked systems, broken supply chains, halted hospitals. If operators stop encrypting, isn’t that a defensive win?

Not exactly. The reduction in encryption is balanced by an increase in the scope and persistence of the data exposure. A 275-million-record dataset on a public leak site is a 30-year liability for the victims of that data. A 10-million-file Foxconn dump rewrites the threat models of every downstream brand whose IP it touches. The visible operational damage is smaller. The invisible long-tail damage is much larger.

For policymakers, the implications are different from the recovery-focused frameworks built since 2020. Disclosure regimes need to bite faster. Data-protection enforcement against negligent victims needs to be predictable enough that boards weigh it appropriately against ransom payment. And the operational target for international law enforcement increasingly needs to be the secondary buyers, not just the operators, because in the 2026 model, the operators don’t always need the victim to pay.

Frequently asked questions

What is encryption-less ransomware?

Encryption-less ransomware (also called pure data extortion) is a ransomware-style operation where the attacker steals sensitive data and threatens to publish it, but never encrypts the victim’s files. The coercion comes entirely from threatened data disclosure, not from system unavailability. In 2026 it has become the default model for several major operators including ShinyHunters.

Who was affected by the Instructure / Canvas breach in May 2026?

The ShinyHunters listing for Instructure claims approximately 3.65 TB of data covering 275 million students, teachers, and staff across roughly 9,000 institutions using Canvas LMS. Reports indicate this was Instructure’s third ShinyHunters incident in the preceding eight months, suggesting persistent access. Affected institutions span US higher education and K-12; the exact list has not been published.

Why did ransom payment rates fall to 28%?

Multiple factors converged: cyber-insurance carriers tightened payment policies, regulators began publishing successful decryptions and disruption operations, defenders improved offline backup and incident-response practices, and corporate boards became materially less willing to authorise payment. Each factor on its own would have lowered payment rates; the combination collapsed them from ~76% in 2019 to 28% in 2025–2026.

What is an EDR killer?

An EDR killer is a tool used by attackers to disable endpoint detection-and-response agents before executing the main attack payload. The most common technique is BYOVD (Bring Your Own Vulnerable Driver): the attacker loads a legitimately signed but vulnerable Windows driver and exploits it to gain kernel-mode access, then terminates EDR processes. In 2026, EDR-killer use is standard across nearly all active ransomware operators.

Are encryption-less attacks still considered ransomware?

Operationally, no, they’re more accurately classified as data-extortion attacks. But they’re carried out by the same threat actors, through the same initial-access channels, marketed on the same leak sites, and addressed by the same regulatory frameworks. Most threat-intelligence vendors continue to classify pure extortion operations as ransomware for tracking continuity, while distinguishing the model in their analysis.

Should organisations still maintain offline backups?

Yes, but the role of backups has shifted. Backups remain the right answer to recovery scenarios (whether triggered by an encryption attack, a hardware failure, or any other availability incident). They are not, however, a defence against data-exposure consequences. The 2026 reality requires both: backups for operational recovery, and exfiltration-detection plus disclosure machinery for data-exposure incidents.

How do I check if my organisation appears on a ransomware leak site?

Use a curated tracker. Ransomnews maintains Ransomtracker, a normalised feed of leak-site victim listings across the major active operators. Subscribe to alerts for your organisation’s name, your subsidiary names, and major third-party processors you depend on. The hours between an operator listing your name and your IR team noticing are critical.

Sources and further reading

  • Kaspersky State of Ransomware 2026, securelist.com/state-of-ransomware-in-2026, the primary source for the 28% payment-rate figure, EDR-killer prevalence, and post-quantum adoption data.
  • Microsoft Recommended Driver Block Rules, learn.microsoft.com, the authoritative list of vulnerable drivers used in BYOVD attacks.
  • NIST Post-Quantum Cryptography project, csrc.nist.gov, context on the ML-KEM standard now appearing in ransomware families.
  • Coveware quarterly reports, coveware.com, payment-rate data series back to 2019.
  • Our prior coverage on the upstream supply chain, Initial Access Brokers 2026, and the credential-exposure layer, Session cookie theft and MFA bypass.

The data-extortion model is not new. What is new is its operational dominance. When more than two-thirds of victims refuse to pay, the rational adaptation is to stop needing them to. May 2026 is the month that adaptation became the default. Defenders who built their playbooks around the encryption stage are quietly learning that the stage no longer happens, and the defensive posture that worked in 2022 isn’t sufficient any more.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleRansomware leak-site OSINT: 2026 investigation walkthrough
Next Article 62% of database ransom wallets were never paid
Ransomnews Research Team

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

XSS forum: from DaMaGeLaB to the 2025 takedown

June 29, 2026

1.16 billion attacks: how the FortiBleed crew broke FortiGate

June 19, 2026

FortiBleed: exposed firewalls are a ransomware early warning

June 18, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.