Cyber extortion shifting from ransomware encryption to data-theft-only tactics

TargetSaaS applications, Professional Services, Healthcare, Consumer Services, Manufacturing, Construction sectorsVectorData exfiltration via supply chain compromise, vishing/credential interception, and extortion-as-a-service partnershipsAttributionTGR-CRI-1135 (TeamPCP), Bling Libra (ShinyHunters), Hazy Scorpius (CLOP), Scattered LAPSUS$ Hunters

IoCsTox ID (Bling Libra communication channel)Tor-based data leak site (Bling Libra)LAPSUS$ data leak siteBreachForums (cybercrime forum)Telegram (threat actor communications)AffectedOver 500 software pieces compromised via TGR-CRI-1135 supply chain attacks; SaaS tenants targeted by Bling Libra; Oracle EBS vulnerability exploited by Hazy Scorpius

Affected OrganisationsMid-sized organizations (64% of data-only extortion victims in 2025)SectorsProfessional ServicesHealthcareConsumer ServicesManufacturingConstructionConfirmed DamageAverage data-theft extortion cost $5.08 million; over $10 million for broader U.S. breaches; 39-second initial access to data exfiltration observedGeographyUnited StatesGlobal (GDPR-regulated regions)

WorkaroundsImplement advanced backup and recovery capabilities for rapid re-imaging; deploy endpoint detection and response (EDR) with automated disruption; enforce strict data egress controls; strengthen MFA implementation against vishing attacks; segment SaaS tenant access

Previous CampaignsTGR-CRI-1135 active since late 2025 with 20+ supply chain compromise attacks; Bling Libra extensively reported in 2025 SaaS infiltration campaigns; Hazy Scorpius Oracle EBS exploitationSimilar AttacksGoogle reported data theft and extortion incidents rising from 2% (2020) to 15% (2025); Resilience observed extortion-only incidents rising from 49% (H1 2025) to 65% (H2 2025); encryption-based extortion dropped from 90%+ (2021-2024) to 78% (2025)