Security News

CrowdStrike: More Cybercriminals Ditching Ransomware To Focus On Data Extortion

Kyle Alspach

The number of threat actors that carried out data theft and extortion attacks, without deployment of ransomware, grew by 20 percent in 2022, according to the cybersecurity vendor.

Share this

Cybercriminals are increasingly finding that data extortion attacks are easier and more profitable than ransomware, which led to a shift in behavior by many threat actors in 2022, CrowdStrike’s threat intelligence head told CRN.

“We’re seeing more and more threat actors moving away from ransomware,” said Adam Meyers, head of intelligence at CrowdStrike. “Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.”

And due to the fact that data extortion is a more lucrative and easier alternative, ransomware is “ultimately unnecessary” at this point, Meyers said.

[Related: Ransomware Prevention Saw ‘Massive’ Improvement In 2022: IBM X-Force]

On Tuesday, cybersecurity giant CrowdStrike released its 2023 Global Threat Report with numerous new findings on how the cyberthreat landscape evolved last year.

Among the key findings is that the number of malicious actors that carried out data theft and extortion attacks, without deployment of ransomware, grew by 20 percent in 2022 from the prior year, according to the CrowdStrike report. Data extortion involves stealing sensitive data from victim organizations and then threatening to release the data online if the victim doesn’t make a payment demanded by the attacker.

Ransomware attacks have often already included data extortion as a component — with the threat of exposing the data meant to serve as further motivation for the victim to pay the ransom demand. What’s happening now, however, is that more attackers are abandoning the ransomware element altogether and just focusing on the data extortion, CrowdStrike’s findings show.

Michael Kamen, founder and CEO at Edge Solutions Group, a Santa Monica, Calif.-based MSP, said that a client “dodged a bullet” last year when it turned out that a malicious actor had not managed to steal any sensitive data after breaching their systems. As a result, the client did not end up needing to pay the attackers, he said.

“As an attacker, you’re definitely getting a lot more leverage if you exfiltrate data that matters to the business, versus just doing a bunch of damage [through ransomware] that can be rebuilt,” Kamen said. If an organization is forced make a disclosure that sensitive data has been exfiltrated, “that becomes a really difficult conversation — and I think it’s a lot more damaging to the business than a few days of downtime.”

A new report from SonicWall also details a greater focus for some cybercriminals on data extortion and the shift away from ransomware. Some of the factors at play include the fact that more organizations have implemented “strong” backups and incident response plans, which has made encrypting files a less-effective tactic, according to the report released Tuesday.

SonicWall pointed to the existence of extortion-only groups including Lapsus$ and Karakurt as further evidence of the trend.

Flipping The Script

Meanwhile, the process of actually extracting a ransom payment has also become extremely “frustrating” for attackers, CrowdStrike’s Meyers said. Often, there ends up being a negotiation process that takes time and reduces the eventual ransom payment, he said.

But with data extortion, “they don’t have to play that game,” Meyers said. If a victim stalls on making a payment, an attacker will often leak some of the victim’s files onto the internet to speed things along.

“Now they’ve got the control,” he said. With data extortion, “they can actually flip the script on the victim.”

Additionally, there are now a number of different data privacy regulations, both inside the U.S. and abroad, that can affect the calculus around deciding whether or not to pay, Meyers said. Now, “there’s actually a very high cost associated with losing sensitive information, from a legal and regulatory and compliance perspective,” he said.

SonicWall suggested in its report that attackers may have switched gears from ransomware to other types of attacks in 2022, as well. Cryptojacking attacks grew by 43 percent, year-over-year, while IoT malware surged by 87 percent in 2022, according to the report.

“There’s no question in my mind that we will continue to see the attacks morph and change based upon the opportunity out there,” SonicWall CEO Bob VanKirk said.

Kyle Alspach

Kyle Alspach is a Senior Editor at CRN focused on cybersecurity. His coverage spans news, analysis and deep dives on the cybersecurity industry, with a focus on fast-growing segments such as cloud security, application security and identity security.  He can be reached at

Sponsored Post