Surge in Ransomware “Data Extortion Only” Attacks Raises Concerns Over Weak Supplier Controls

Cyber-security analysts are reporting a sharp rise in a new wave of ransomware attacks where criminals no longer bother encrypting systems, instead focusing entirely on data theft and extortion. The trend, sometimes referred to as “encryption-less ransomware,” is being described by experts as one of the fastest-growing threats facing UK organisations, particularly those reliant on third-party service providers.

According to the Cyber Defence Intelligence Council, dozens of medium-sized organisations have been affected in recent months by attacks in which criminals quietly exfiltrate sensitive files, then threaten to publish them unless payment is made. Unlike classic ransomware, operations continue running, meaning many victims only discover the intrusion once extortion demands arrive.

“What we’re seeing now is a business model shift,” said Dr. Anika Wells, a senior analyst at the council. “Criminal groups have realised they don’t need to lock a company out of its own systems to cause maximum pressure. Stealing the data and threatening reputational damage is often more effective - and far harder to detect.”

A growing number of incidents have been traced back to vulnerabilities in managed service providers, cloud-based file-transfer tools, and remote-access platforms. Attackers are increasingly targeting suppliers because these companies often hold large volumes of client data but may not operate at the same level of cyber maturity as the organisations they serve.

The National Cyber Security Centre (NCSC) issued an advisory highlighting the trend, warning: “We continue to investigate cases where third-party compromise has led directly to data theft affecting multiple organisations at once. The message is clear: supply-chain security must be taken as seriously as internal network protection.”

Several cyber-security firms say the attackers behind these campaigns are predominantly financially motivated groups in Eastern Europe and Southeast Asia. The entry point is often a single unpatched appliance, poorly managed remote desktop access or compromised credentials purchased on criminal marketplaces.

“This is industrialised cybercrime,” noted Sarah Milburn, threat-intelligence director at SecuraLabs. “These groups are running high-volume operations. They’re scanning the internet 24/7 for outdated software and unsecured systems. If they find one weak link, it’s not just that company at risk - it’s every organisation connected to them.”

Industry feedback suggests that many victims are reluctant to go public, worried that admitting to data theft could damage confidence among customers and partners. Cyber insurers, meanwhile, report that extortion-only attacks now represent a significant portion of their incident callouts.

Experts say the rise of this attack model reinforces the importance of knowing where sensitive information sits, who has access to it, and how it is secured across the full supply chain. Organisations with large numbers of external partners or cloud platforms are being urged to conduct more frequent assurance checks, implement multi-factor authentication consistently and monitor for unusual outbound data movement.

The NCSC spokesperson added: “This is not a trend that will fade. It reflects a permanent shift in criminal tactics. Defensive strategies need to adapt quickly.”

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).