Ransomware’s Exfiltration-Only Trend May Be Overhyped, Experts Warn
- Cyber Jack
- 14 hours ago
- 3 min read
Hunters International and others are testing new tactics—but encryption still reigns as the most profitable path to payday.
Hunters International, a ransomware crew that’s claimed attacks on high-profile organizations like Tata Technologies, is trying something different according to Group-IB. Instead of locking systems and demanding payment for decryption, the group is reportedly pivoting to a simpler approach: steal sensitive data, threaten to leak it, and wait for the money to roll in.
The move reflects a growing curiosity among threat actors to explore exfiltration-only tactics—attacks that skip the file encryption step entirely. The logic is straightforward: it’s faster, less complex, and potentially safer for the attackers. But cybersecurity experts caution that this stripped-down strategy is unlikely to become the dominant model for cyber extortion.
“Let’s be honest, while it’s tempting to think ransomware gangs are all about to ditch encryption for simple data exfiltration, that’s not where the majority of the ecosystem is headed,” said Jon Miller, CEO and co-founder of Halcyon.
Why Encryption Still Rules
Ransomware's traditional method—encrypting data and crippling infrastructure—remains the most effective way to pressure victims into paying. Without access to critical systems, operations grind to a halt, revenue evaporates, and executives face immediate, high-stakes decisions. Exposed data, while damaging, doesn’t always produce the same sense of urgency.
“Encryption still gives attackers the upper hand,” Miller explained. “If your systems are locked up and your business can’t operate, the pressure to pay ramps up fast.”
The pain inflicted by a locked network is often the tipping point. It creates a clock. A countdown. One that can be monetized more consistently than the threat of a data leak alone.
Exfiltration-Only: Easier, But Less Lucrative
There’s no denying that skipping encryption reduces overhead. Threat actors don’t have to build or maintain malware, troubleshoot compatibility issues, or bypass sophisticated endpoint defenses. And with the rise of modular extortion kits, it’s easier than ever to execute smash-and-grab operations that focus solely on stealing data.
But those savings come at a cost: less leverage, and often smaller payouts.
“Skipping the encryption payload saves threat actors time and resources… but the tradeoff is less leverage and, ultimately, smaller payouts,” Miller said. “That’s not a winning formula for affiliates looking to get paid.”
In the ransomware-as-a-service economy, affiliates—the hired guns who carry out the attacks—expect a return on investment. If a victim can shrug off the threat of exposure or stall negotiations, the attacker walks away empty-handed. For many seasoned crews, that’s a risk not worth taking.
Top-Tier Ransomware Crews Are Doubling Down on Innovation
While some groups test minimalistic tactics, others are pushing their payloads further. Advanced ransomware variants now feature:
Partial encryption to avoid detection and speed up deployment
Rust-based code to bypass antivirus and EDR solutions
Cross-platform functionality that hits Windows, Linux, and macOS
Stealthier delivery mechanisms that avoid tipping off defenders too soon
These innovations aren’t just technical; they’re strategic. They reinforce encryption’s value as the ultimate extortion tool—one that turns downtime into dollar signs.
“Innovation in payloads is still the name of the game because pain drives payment,” Miller emphasized.
A Tactical Shift, Not an Industry Transformation
The rise of exfiltration-only models should be seen less as an evolution and more as an adaptation—one that’s often born out of necessity. When encryption tools are disrupted or attribution pressure rises, a group may choose the path of least resistance. But for the vast majority of ransomware operators, encryption is still the backbone of the business.
Yes, there may be a growing number of data-only extortion cases. But they remain the exception, not the rule. And unless victims start paying more reliably for the promise of privacy alone, that’s unlikely to change.
The ransomware economy is built on urgency, disruption, and fear. Encrypting systems hits all three. Until something more powerful comes along, the math will keep pointing to the same conclusion: when it comes to cyber extortion, locking up your files still unlocks the biggest paydays.