Out of the Crypt: The Evolving Cyber Extortion Economy

2026-05-27 · Source: Unit 42 · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning · Depth: Intermediate, long

Summary

The cyber extortion economy is rapidly evolving, with a significant shift away from traditional encryption-based ransomware towards pure data theft and extortion. Unit 42 observed encryption use dropping to 78% in 2025, a decrease from over 90% in prior years, while Google reported data theft incidents rising from 2% in 2020 to 15% in 2025. This trend is fueled by improved backup capabilities, mature endpoint security, faster data exfiltration, and stringent regulatory frameworks like the SEC's 4-day and GDPR's 72-hour disclosure rules, which weaponize compliance. The average cost of data-theft extortion now stands at \$5.08 million. Threat actors such as TGR-CRI-1135, Bling Libra, and CL-CRI-1116 are employing diverse initial access methods, including software supply chain compromise and vishing, and leveraging additional pressure tactics like DDoS and swatting. Frontier AI models, exemplified by Anthropic's Mythos identifying 23,000 vulnerabilities, are expected to further accelerate these attacks, potentially reducing exfiltration time to 25 minutes, with weaponization anticipated within 3-5 months.

Key takeaway

For Security Engineers evaluating defense strategies, recognize that cyber extortion increasingly weaponizes data exposure and regulatory timelines, not just encryption. You must prioritize robust data loss prevention, phishing-resistant MFA, and software supply chain integrity. Prepare your incident response capabilities for AI-accelerated attacks, as initial access to exfiltration times are shrinking to minutes, demanding a "left of bang" posture. Pressure-test your systems against these compressed timelines now.

Key insights

Data theft and regulatory pressure now drive cyber extortion, with AI poised to drastically accelerate attack timelines.

Principles

• Regulatory compliance frameworks are weaponized by threat actors.
• AI models will significantly compress attack timelines.
• Initial access methods vary, from supply chain to vishing.

In practice

• Deploy DLP at cloud, endpoint, and network egress points.
• Migrate from OTP-based MFA to FIDO2/WebAuthn hardware keys.
• Implement SCA and dependency pinning in CI/CD pipelines.

Topics

• Cyber Extortion
• Data Theft
• Ransomware Trends
• Supply Chain Attacks
• Vishing
• AI Security
• Regulatory Compliance

Best for: VP of Engineering/Data, Executive, Director of AI/ML, AI Security Engineer, Security Engineer, CTO

Related on AIssential

• IBM 2026 X-Force Threat Index: AI-Driven Attacks are Escalating as Basic Security Gaps Leave Enterprises Exposed — AI tools are accelerating cyberattacks by enabling faster vulnerability exploitation and lowering barriers to entry for threat actors.
• As ransomware recedes, a new more dangerous digital parasite rises — Threat actors are shifting from ransomware encryption to stealthy, long-term data extortion via "sleeperware."
• The Claude Code source code leak: Takeaways for cybersecurity pros — AI-era cybersecurity demands robust supply chain defense, proactive threat intelligence, and learning from both successes and failures.
• Productivity is the new data breach (Ep. 301) — Employees' use of LLMs for productivity creates an unprecedented, self-inflicted corporate espionage threat.
• 2026 Threat Intelligence Index: Ransomware, AI, & Emerging TTP Risks — Cybersecurity threats are escalating due to unauthenticated vulnerabilities, supply chain attacks, and easier ransomware deployment.
• You Can't Patch a Running Plant: How Mythos Compresses the OT Security Timeline — AI-driven vulnerability discovery drastically accelerates cyberattack timelines, demanding urgent, tailored security responses for operational technology.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Unit 42.