{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mythos/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Bling Libra"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EBS","Mythos"],"_cs_severities":["high"],"_cs_tags":["cyber-extortion","data-theft","ransomware"],"_cs_type":"threat","_cs_vendors":["Oracle","Palo Alto Networks","Anthropic"],"content_html":"\u003cp\u003eUnit 42\u0026rsquo;s report highlights a significant shift in the cyber extortion landscape, with a decreasing reliance on ransomware encryption and an increased focus on data theft. In 2025, only 78% of extortion cases involved encryption, a drop from over 90% in previous years. Threat actors like Bling Libra (aka ShinyHunters), known for targeting SaaS applications, and TGR-CRI-1135 (aka TeamPCP), which has conducted supply chain compromise attacks, are at the forefront of this trend. The shift is driven by improved backup and recovery, endpoint maturity, exfiltration speed, and regulatory pressures like the SEC\u0026rsquo;s 4-day disclosure window and GDPR\u0026rsquo;s 72-hour reporting rule. These regulations create a countdown, forcing organizations to negotiate quickly, and the average cost of data-theft extortion is $5.08 million. The report emphasizes the impending weaponization of frontier AI models like Mythos by threat actors, potentially accelerating the discovery and exploitation of vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (T1199):\u003c/strong\u003e TGR-CRI-1135 conducts software supply chain compromise attacks, injecting malicious code into software. Bling Libra uses vishing to trick victims into providing credentials and MFA codes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e Victims are directed to phishing sites to intercept credentials and MFA codes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e Bling Libra registers their own devices within targeted environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Threat actors exfiltrate sensitive data, including cloud access tokens, SSH keys, and Kubernetes secrets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExtortion:\u003c/strong\u003e Threat actors demand ransom payments in exchange for not releasing the stolen data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDDoS Attacks:\u003c/strong\u003e Bling Libra uses Distributed Denial-of-Service (DDoS) attacks against victims who refuse to pay.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Leaks:\u003c/strong\u003e Bling Libra leaks stolen information to media outlets to pressure victims.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Victims face financial losses, reputational damage, regulatory fines, and potential class-action lawsuits.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe shift towards data theft and extortion has significant consequences for organizations. The average cost of data-theft extortion is $5.08 million, with U.S. breaches exceeding $10 million. Industries like Professional Services, Healthcare, and Consumer Services are heavily targeted, especially mid-sized organizations (64% of victims). Construction has seen a 44% year-over-year increase as a data-only extortion hotspot. The weaponization of frontier AI models is expected to further accelerate these attacks, potentially reducing the time from initial access to data exfiltration to as little as 25 minutes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy data loss prevention (DLP) controls at cloud, endpoint, and network egress points to detect and prevent data exfiltration, as recommended in the report.\u003c/li\u003e\n\u003cli\u003eBaseline and alert on abnormal egress volume and velocity as noted in the defensive recommendations.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes initiating network connections, especially after software updates, to detect potential supply chain compromises (use Sigma rule \u0026ldquo;Detect Suspicious Process Network Connection After Software Update\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement MFA and educate employees about vishing tactics to prevent initial access via credential theft as described in the \u0026ldquo;Initial Access via Vishing\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T22:10:19Z","date_published":"2026-05-27T22:10:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cyber-extortion-economy/","summary":"Cyber extortion is increasingly relying on data theft rather than ransomware encryption, with threat actors like Bling Libra and TGR-CRI-1135 leveraging techniques like vishing and software supply chain compromise, fueled by regulatory compliance pressures and the impending weaponization of frontier AI models.","title":"Cyber Extortion Economy Shifting Towards Data Theft","url":"https://feed.craftedsignal.io/briefs/2026-05-cyber-extortion-economy/"}],"language":"en","title":"CraftedSignal Threat Feed — Mythos","version":"https://jsonfeed.org/version/1.1"}