A new analysis from Palo Alto Networks’ Unit 42 details a significant structural shift in the cyber extortion economy: threat actors are increasingly abandoning encryption entirely, relying instead on the threat of data exposure and regulatory fallout to compel victim payments.
Encryption on the Decline
According to Unit 42’s 2026 Global Incident Response Report, encryption was involved in 78% of extortion-related cases in 2025, down sharply from the near-or-above-90% range observed between 2021 and 2024. The trend is corroborated by other vendors: Google reported data theft and extortion incidents rising from roughly 2% of cases in 2020 to 15% in 2025, while Resilience observed extortion-only incidents climb from 49% in the first half of 2025 to 65% in the second half.
Unit 42 attributes the decline in encryption to four primary drivers: improved backup and recovery capabilities enabling rapid re-imaging, maturing endpoint detection that disrupts ransomware deployment, the raw speed of modern data exfiltration operations, and the growing financial leverage created by regulatory compliance frameworks.
Regulation as a Weapon
Strict disclosure mandates, including the SEC’s four-day reporting window and GDPR’s 72-hour breach notification rule, have given attackers a structural advantage. By stealing data and threatening exposure, threat actors can initiate a regulatory countdown before a victim organization has completed its own internal assessment. The average cost of a data-theft extortion incident now stands at $5.08 million, rising above $10 million for broader U.S.-based breaches, according to Unit 42’s findings. In one documented case, threat actors moved from initial access to data exfiltration in as little as 39 seconds.
Industries most heavily targeted by pure data-exfiltration campaigns in 2025 included Professional Services, Healthcare, and Consumer Services, with mid-sized organizations accounting for 64% of victims. Construction saw a 44% year-over-year increase as a data-only extortion target, driven by the value of financial blueprints and competitive bidding data held by those firms.
Threat Actor Profiles
Unit 42 is tracking several distinct actors operating in this space, each with different initial access methods and extortion techniques.
- Bling Libra (ShinyHunters): Focused on software-as-a-service application environments, conducting data theft without deploying encryption.
- Hazy Scorpius (CLOP): Has exploited an Oracle E-Business Suite vulnerability to conduct data theft and extortion operations.
- TGR-CRI-1135 (TeamPCP): Active since at least late 2025, this group has conducted more than 20 distinct software supply chain compromise attacks, injecting malicious code into over 500 software packages and exfiltrating cloud access tokens, SSH keys, and Kubernetes secrets. The group has since partnered with both ransomware-as-a-service operators (including affiliates of Vect ransomware) and extortion-as-a-service platforms, including the LAPSUS$ Group’s data leak infrastructure.
A notable recent development involves TGR-CRI-1135 releasing an open-source version of its Shai-Hulud tooling on BreachForums in May 2026. Unit 42 warns this will likely complicate attribution efforts, as copycat actors may adopt the tool in similar supply chain attacks.
Frontier AI as a Coming Amplifier
Unit 42 flags the arrival of frontier AI models as a factor likely to further accelerate and complicate data-theft extortion operations going forward, though the specific mechanisms remain under active monitoring. Organizations are advised to prioritize data egress controls, incident response planning, and regulatory breach notification workflows as core defensive priorities in this shifting threat landscape.