Shift to Data‑Only Extortion Threatens SaaS, Healthcare, and Professional Services
What Happened – Unit 42 reports a rapid decline in ransomware‑encrypted extortion cases. Threat actors are now stealing data and demanding payment without encrypting files, leveraging “single‑ and double‑extortion” tactics across SaaS, healthcare, professional‑services and consumer‑services environments.
Why It Matters for TPRM –
- Extortion pressure no longer hinges on downtime, so traditional ransomware controls (e.g., backup verification) are insufficient.
- Data‑theft‑only campaigns target third‑party SaaS platforms, exposing your supply‑chain to regulatory fines and reputational damage.
- Mid‑size vendors are disproportionately affected, increasing risk for organizations that rely on niche providers.
Who Is Affected – Professional Services, Healthcare, Consumer Services, Manufacturing, Construction, and any SaaS‑based vendors handling sensitive financial or operational data.
Recommended Actions –
- Re‑evaluate third‑party contracts for data‑exfiltration safeguards (encryption‑in‑transit, DLP, zero‑trust).
- Verify that vendors maintain immutable backups and rapid restoration capabilities.
- Incorporate extortion‑only threat scenarios into incident‑response playbooks and tabletop exercises.
Technical Notes – The shift is driven by: (1) mature backup/recovery solutions, (2) advanced endpoint protection, (3) faster exfiltration tools, and (4) regulatory pressure (SEC 4‑day disclosure, GDPR 72‑hour breach notice). Notable actors: Bling Libra (ShinyHunters) targeting SaaS, and Hazy Scorpius (CLOP) exploiting an Oracle EBS vulnerability. Source: Palo Alto Unit 42 – Out of the Crypt: The Evolving Cyber Extortion Economy