top of page


  • Marijan Hassan - Tech Journalist

The evolution of ransomware from data encryption to data theft

Ransomware as we know it is when threat actors encrypt sensitive data and demand a ransom in exchange for the decryption key. However, attackers have evolved their methods. It’s the third week of cybersecurity month and we though we should look at the transformation of ransomware as we know it and highlight what can be done about it.

Instead of encrypting data, threat actors have started opting to steal confidential data and request ransom in exchange for not leaking the data.

It’s a different ball game and experts believe that there is a need to create a distinction between ransomware and data theft. They believe this will help businesses properly understand the type of threat they are facing and consequently better prepare for it.

“There's value in having a separate category to examine extortion-only attacks versus ransomware,” Claire Tills, a senior research engineer at Tenable said. She noted that even notorious ransomware gangs like Lockbit who offer ransomware as a service had started ditching the old method of doing things and advising their customers not to use file encryption in specific industries such as healthcare.

The upside is there is no disruption of services that would lead to customers not being treated. On the downside exposing leaked healthcare data can have bigger and far-reaching consequences for the victims.

“The fact that LockBit has mandated extortion-only attacks for particular targets proves that there's value in parsing the difference between encryption malware and 'we're just stealing data and then threatening to sell it,'” Tills said.

"The tactics are different, the psychology is different, and the disruption to companies is different because if they're encrypting your systems, it's a whole different mentality on the response side versus if they're threatening to sell your sensitive data."

With encryption, the only required course of action is to work on restoring the encrypted data or paying ransom to get it back. Data theft, on the other hand, is a PR nightmare. You are not sure of other ways the attackers could use the data and even after the ransom is paid you can’t trust that they will delete the data.

The evolution of ransomware to data theft started with a threat group called Maze crew in 2020 and has been gaining traction since.

Going forward we can only expect hackers to lean more towards this new method as opposed to just encryption. Now, it’s up to organizations to analyze how both forms of attacks can impact them and come up with preventative measures that address the specific problem.


bottom of page