General

Out of the Crypt: The Evolving Cyber Extortion Economy

8 min read

Extortion Activity No Longer Requires Encryption for Payment

This blog dives into the growing trend of data theft and extortion activities which no longer require the use of ransomware to pressure victims into paying a demand. We examine the financially-motivated threat actors using both single and double extortion techniques and what this means for organizations going forward, especially with the arrival of frontier AI models.

Shifting Threat Landscape Observations

As detailed in our 2026 Global Incident Response Report, Unit 42 observed a notable decrease in the use of encryption for extortion-related cases last year. The total percentage in 2025 dropped to 78%, much lower than the near-or-above-90% levels observed between 2021-2024. Other security organizations have seen similar trends, with Google reporting a gradual rise in data theft and extortion incidents from approximately 2% in 2020 to 15% in 2025. Resilience also observed an increase in extortion-only incidents in 2025, rising from 49% in the first half to 65% in the second half.

Threat actors tracked by Unit 42 that have demonstrated a willingness to shift away from using ransomware to pure data theft and extortion include Bling Libra’s (aka ShinyHunters) focus on software-as-a-service (SaaS) applications and Hazy Scorpius’s (aka CLOP) exploitation of an Oracle EBS vulnerability. When examining this precipitous drop in encryption, we see four primary drivers: advanced backup and recovery performance allowing routine re-imaging and restoration, endpoint maturity and automated disruption efficacy, exfiltration speed and the increased pressure from regulatory frameworks where non-compliance fines, class-action lawsuits and systemic reputational damage are greater leverage than operational downtime.

In 2025, pure data-exfiltration campaigns heavily targeted Professional Services, Healthcare and Consumer Services firms with threat actors specifically focused on mid-sized organizations accounting for 64% of victims. Interestingly, while Manufacturing remains the single most disrupted sector overall, Construction has witnessed a 44% year-over-year increase as a data-only extortion hotspot. These firms are attractive targets due to lucrative financial blueprints and bidding data combined with data egress controls.

The current data-only extortion economy is directly fueled by a heavily-regulated compliance landscape, which threat actors have effectively weaponized. Strict mandates like the SEC's 4-day disclosure window and GDPR’s 72-hour reporting rule have created a regulatory countdown clock, allowing threat actors to force rapid negotiations before organizations can complete internal assessments. Because global privacy frameworks, state-level breach notification laws and post-leak class-action litigation have driven the average cost of data-theft extortion to $5.08 million (and over $10 million for broader U.S. breaches), data exposure alone carries disastrous financial liabilities. Threat actors recognize that regulatory penalties are so severe that the compliance framework itself compels corporate payouts.

As recently noted by our Chief Security Intelligence Officer, Wendi Whitmore, it only took 39 seconds for threat actors to move from initial access to data exfiltration in one case.

Differences in Extortion Operations

Unit 42 is actively monitoring several threat actors that are continuously conducting data theft and extortion operations. The notable differences between these attackers is their use of initial access techniques and the number of extortion techniques to pressure victims into payment.

Initial Access via Software Supply Chain Compromise

TGR-CRI-1135 (aka TeamPCP) has been active since at least late 2025. According to Wired, this group has conducted upwards of 20 distinct supply chain compromise attacks which have led to the injection of malicious code into over 500 pieces of software. We previously reported on the group’s activities earlier this year and how their malware was able to successfully exfiltrate sensitive secrets (cloud access tokens, SSH keys, Kubernetes secrets) from victims.

In recent months, TGR-CRI-1135 has been partnering with various ransomware-as-a-service (RaaS) and extortion-as-a-service (EaaS) operators to monetize their ongoing intrusion activities. On the EaaS front, they have been collaborating with the operators of LAPSUS$ Group to extort targeted organizations via their data leak site as shown below in Figure 1.

Figure 1: Screenshot of LAPSUS$ DLS post on May 21, 2026 (Source: Dark Web Informer) — Figure 1. Screenshot of LAPSUS$ DLS post on May 21, 2026. Source: Dark Web Informer.

On the RaaS front, they have been working with the operators of Vect ransomware based on communications observed via the BreachForums cybercrime forum as shown in Figure 2. Unit 42 is also aware of claims by one of Vect’s affiliates, the Rostova Organization, that they are also partnering with TGR-CRI-1135.

Figure 2: Screenshot from HasanBroker’s BreachForums post on March 25, 2026 (Source: Unit 42) — Figure 2. Screenshot from HasanBroker’s BreachForums post on March 25, 2026. Source: Unit 42.

On May 13, 2026, TGR-CRI-1135 announced the release of an open source version of Shai-Hulud on BreachForums as shown in Figure 3. Going forward, as noted in our most recent threat research article, this will likely make attribution more difficult given that copycats may leverage the tool in similar supply chain compromise attacks.

Figure 3. Screenshot from BreachForums post on May 13, 2026. Source: Unit 42.

One notable development related to Vect was the announcement on BreachForums shown in Figure 4 which states that those operators have been removed from the forum. It is unclear if this will have a material effect on their collaboration with TGR-CRI-1135 going forward.

Figure 4. Screenshot from Resolute’s BreachForums post on May 21, 2026. Source: Unit 42.

At this time, Unit 42 is not aware of TGR-CRI-1135 using any additional extortion techniques to pressure victims into paying their ransom demands outside of purely data exfiltration.

Initial Access via Vishing

Bling Libra continues their rampage of infiltrating customer SaaS tenants for data theft and extortion operations, which Unit 42 reported on extensively in 2025. The operators have distanced themselves from the cybercriminal alliance known as Scattered LAPSUS$ Hunters based on a Telegram message shown in Figure 5.

Figure 5. Screenshot from scattered LAPSUS$ hunters part 7 chat on May 11, 2026. Source: Telegram.

However, their playbook has remained relatively unchanged based on Unit 42 observations. They continue to use vishing for initial access, directing unsuspecting victims to phishing sites designed to intercept user credentials and multifactor authentication (MFA) codes and ultimately registering their own devices to establish persistence within targeted environments. The operators still use the same Tox ID to communicate with victims and also maintain a Tor-based data leak site.

In comparison to TGR-CRI-1135, Bling Libra uses additional extortion techniques outside of pure data theft to pressure victims into paying a ransom. Unit 42 is aware of their adoption of both distributed denial-of-service (DDoS) attacks and information leaks to media outlets as added leverage points to extort victims.

On the flip side, an activity cluster tracked by Unit 42 as CL-CRI-1116, which overlaps with public reporting on BlackFile, has followed a similar pattern of activity in terms of a playbook-driven approach with some subtle and not so subtle nuances.

While the attackers behind CL-CRI-1116 also use their own Tor-based data leak site, they do not reuse the same Tox ID across victims and typically use a different registrar to set up their phishing sites in comparison to Bling Libra.

The major difference between CL-CRI-1116 and Bling Libra is the former’s use of swatting employees as a double extortion technique. This act is typically defined as placing a false emergency call to first responders, such as reporting a fake crime at a specific location to trigger a physical response. In many cases, this is expected to create chaos and can potentially even lead to acts of violence.

This convergence between cyber and physical security can lead to complications if these two teams aren’t in regular communications with each other on how to address such a situation, especially as it pertains to executive protection.

One recent development regarding the attackers behind CL-CRI-1116 is the closure of their former data leak site and the rebranding of their program under the name “Redact” with a new data leak site as shown in Figures 6 and 7.

Figure 6. Screenshot from BlackFile data leak site post on May 11, 2026. Source: Unit 42.

Figure 7. Screenshot from BlackFile data leak site post on May 19, 2026. Source: Unit 42.

Looking Forward

In recent weeks, Palo Alto Networks has been at the forefront of providing guidance to organizations on how to secure their environments from the inevitable weaponization of frontier AI models like Mythos by threat actors. These models currently accelerate at finding and chaining vulnerabilities together to exploit flaws in applications and infrastructure alike. For example, Anthropic recently disclosed how Mythos was able to identify approximately 23,000 potential vulnerabilities across 1,000 open source software projects. We have also observed in AI-assisted scenarios that the time from initial access to data exfiltration has dropped to as little as 25 minutes. With this in mind, what do extortion activities, regardless of initial access vector or use of single vs double techniques, look like in the age of frontier AI models?

In terms of software supply chain compromise, TGR-CRI-1135 has already targeted AI environments as part of their ongoing campaigns, but what if they were able to weaponize a frontier AI model to further accelerate the speed and scale of their intrusion activities? This would compound the already complex problem of organizations trying to secure their application development and CI/CD pipelines from these types of attacks. The recent disclosure of the SymJack is a prime example of how AI agents could be leveraged in these types of attacks.

With regards to vishing, AI-powered call center platforms like ATHR can nearly fully automate these attacks for human operators by utilizing AI agents to manage calls and other aspects of the intrusion lifecycle. This service not only lowers the barriers to entry for less sophisticated cybercriminals but also further accelerates attacks for more sophisticated threat actors like Bling Libra. The incorporation of frontier AI models into a platform like this would only exacerbate the speed and scale of attacks leveraging this type of capability.

We believe there is an approximate window of 3-5 months before these frontier AI models are weaponized by threat actors. The time is now for organizations to capitalize on a moment where we as defenders can truly establish a “left of bang” posture against a volatile threat landscape.

Defensive Recommendations

Data Exfiltration Detection and Prevention

Deploy data loss prevention (DLP) controls at cloud, endpoint, and network egress points.
Baseline and alert on abnormal egress volume and velocity.
Monitor for staging behavior.

SaaS Security Posture Management

Audit OAuth token grants, third-party app integrations, and API permissions across SaaS platforms.
Enforce conditional access policies that restrict SaaS sessions by device compliance, location, and risk score.
Implement SaaS audit log aggregation and anomaly detection.

Identity and Vishing Resilience

Migrate from OTP-based MFA to phishing-resistant authentication (FIDO2/WebAuthn hardware keys).
Implement help desk identity verification procedures that cannot be socially engineered.
Conduct targeted vishing simulation exercises.

Software Supply Chain Integrity

Implement software composition analysis (SCA) and dependency pinning in CI/CD pipelines.
Rotate and vault all secrets exposed to CI/CD environments.
Monitor package registries for typosquatting and unauthorized updates to internal or frequently-used packages.
Enforce code signing and provenance verification for all artifacts entering production.

AI-Accelerated Threat Preparedness

Pressure-test detection and response capabilities against compressed attack timelines.
Prioritize vulnerability remediation for internet-facing and AI-discoverable attack surfaces.
Deploy voice authentication and call verification controls for inbound calls.

The Unit 42 AI Security Assessment can help empower safe AI use and development.

Unit 42 Deep and Dark Web is a service that assists with gaining visibility into unknown and emerging risks of content posted on the deep and dark web, informs organizations about the exposure of sensitive information, and helps reduce the time between detection and response.

Unit 42 Frontier AI Defense is an elite service that uses access to frontier models to identify your organization's likely attack paths before attackers can weaponize them.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: