Cyber Extortion Economy Shifting Towards Data Theft

Unit 42’s report highlights a significant shift in the cyber extortion landscape, with a decreasing reliance on ransomware encryption and an increased focus on data theft. In 2025, only 78% of extortion cases involved encryption, a drop from over 90% in previous years. Threat actors like Bling Libra (aka ShinyHunters), known for targeting SaaS applications, and TGR-CRI-1135 (aka TeamPCP), which has conducted supply chain compromise attacks, are at the forefront of this trend. The shift is driven by improved backup and recovery, endpoint maturity, exfiltration speed, and regulatory pressures like the SEC’s 4-day disclosure window and GDPR’s 72-hour reporting rule. These regulations create a countdown, forcing organizations to negotiate quickly, and the average cost of data-theft extortion is $5.08 million. The report emphasizes the impending weaponization of frontier AI models like Mythos by threat actors, potentially accelerating the discovery and exploitation of vulnerabilities.

Attack Chain

1. Initial Access (T1199): TGR-CRI-1135 conducts software supply chain compromise attacks, injecting malicious code into software. Bling Libra uses vishing to trick victims into providing credentials and MFA codes.
2. Credential Theft: Victims are directed to phishing sites to intercept credentials and MFA codes.
3. Persistence: Bling Libra registers their own devices within targeted environments.
4. Data Exfiltration: Threat actors exfiltrate sensitive data, including cloud access tokens, SSH keys, and Kubernetes secrets.
5. Extortion: Threat actors demand ransom payments in exchange for not releasing the stolen data.
6. DDoS Attacks: Bling Libra uses Distributed Denial-of-Service (DDoS) attacks against victims who refuse to pay.
7. Information Leaks: Bling Libra leaks stolen information to media outlets to pressure victims.
8. Impact: Victims face financial losses, reputational damage, regulatory fines, and potential class-action lawsuits.

Impact

The shift towards data theft and extortion has significant consequences for organizations. The average cost of data-theft extortion is $5.08 million, with U.S. breaches exceeding $10 million. Industries like Professional Services, Healthcare, and Consumer Services are heavily targeted, especially mid-sized organizations (64% of victims). Construction has seen a 44% year-over-year increase as a data-only extortion hotspot. The weaponization of frontier AI models is expected to further accelerate these attacks, potentially reducing the time from initial access to data exfiltration to as little as 25 minutes.

Recommendation

• Deploy data loss prevention (DLP) controls at cloud, endpoint, and network egress points to detect and prevent data exfiltration, as recommended in the report.
• Baseline and alert on abnormal egress volume and velocity as noted in the defensive recommendations.
• Monitor process creation events for unusual processes initiating network connections, especially after software updates, to detect potential supply chain compromises (use Sigma rule “Detect Suspicious Process Network Connection After Software Update”).
• Implement MFA and educate employees about vishing tactics to prevent initial access via credential theft as described in the “Initial Access via Vishing” section.