A recent advisory from the FBI, CISA, and Australia’s Cyber Security Centre reveals a tactical shift by the ransomware group BianLian, marking a significant evolution in cyber extortion. The update, issued on November 20, 2024, highlights how the group has abandoned traditional encryption-based attacks in favor of exfiltration-only extortion, a trend gaining momentum across the cybercrime landscape.
Previously known for their double-extortion model—encrypting victims' data while threatening to release stolen files—BianLian has moved exclusively to encryption-less attacks since early 2023.
Instead of locking victims out of their systems, the group focuses solely on stealing sensitive data and leveraging it to demand ransoms. This new approach leaves the victims’ systems intact, but their sensitive information becomes the ultimate bargaining chip.
“This method allows criminals to exploit multiple avenues for extortion,” the advisory states. “Even when victims pay, stolen data is rarely deleted and often surfaces on the Dark Web.”
The shift reflects both a response to improved corporate defenses and a focus on operational efficiency. Muhammad Yahya Patel, lead security engineer at Check Point Software, noted that exfiltration-only attacks require fewer resources, making them harder to detect. “This tactic reduces the need for encryption malware, minimizing operational complexity and allowing attackers to stay under the radar,” Patel explained.
Organizations with robust backup systems can recover from encryption-based attacks, diminishing their effectiveness. Pedro Umbelino, principal research scientist at Bitsight, observed, “Encryption rarely leads to data loss now, but companies still fear the public release of stolen data. Ransomware operators are prioritizing simpler methods to maximize profit.” The trend extends beyond BianLian. Darren Williams, CEO of BlackFog, revealed that 94% of ransomware attacks in 2024 now center on data theft rather than encryption.
“The value of intellectual property, customer, and personal data has made exfiltration the preferred method for cybercriminals,” Williams noted.
For organizations, this shift underscores the urgency of adapting cybersecurity defenses. Unlike encryption attacks, data exfiltration is harder to detect and often unnoticed until it’s too late. Investing in advanced monitoring tools, enhancing incident response plans, and fostering a culture of cybersecurity awareness are critical steps in mitigating this emerging threat.
The rise of exfiltration-only ransomware is a stark reminder of cybercriminals’ adaptability. Businesses must evolve their defenses to match the growing sophistication of their adversaries.
