HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Data‑Only Extortion Surge Threatens SaaS, Healthcare, and Professional Services

Unit 42 documents a sharp decline in encrypted ransomware extortion, with threat actors now stealing data and demanding payment without encryption. The trend targets SaaS platforms and mid‑size firms in healthcare, professional services, and consumer sectors, raising regulatory and reputational risk for third‑party relationships.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 unit42.paloaltonetworks.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
6 sector(s)
Actions
3 recommended
📰
Source
unit42.paloaltonetworks.com

Shift to Data‑Only Extortion Threatens SaaS, Healthcare, and Professional Services

What Happened – Unit 42 reports a rapid decline in ransomware‑encrypted extortion cases. Threat actors are now stealing data and demanding payment without encrypting files, leveraging “single‑ and double‑extortion” tactics across SaaS, healthcare, professional‑services and consumer‑services environments.

Why It Matters for TPRM

  • Extortion pressure no longer hinges on downtime, so traditional ransomware controls (e.g., backup verification) are insufficient.
  • Data‑theft‑only campaigns target third‑party SaaS platforms, exposing your supply‑chain to regulatory fines and reputational damage.
  • Mid‑size vendors are disproportionately affected, increasing risk for organizations that rely on niche providers.

Who Is Affected – Professional Services, Healthcare, Consumer Services, Manufacturing, Construction, and any SaaS‑based vendors handling sensitive financial or operational data.

Recommended Actions

  • Re‑evaluate third‑party contracts for data‑exfiltration safeguards (encryption‑in‑transit, DLP, zero‑trust).
  • Verify that vendors maintain immutable backups and rapid restoration capabilities.
  • Incorporate extortion‑only threat scenarios into incident‑response playbooks and tabletop exercises.

Technical Notes – The shift is driven by: (1) mature backup/recovery solutions, (2) advanced endpoint protection, (3) faster exfiltration tools, and (4) regulatory pressure (SEC 4‑day disclosure, GDPR 72‑hour breach notice). Notable actors: Bling Libra (ShinyHunters) targeting SaaS, and Hazy Scorpius (CLOP) exploiting an Oracle EBS vulnerability. Source: Palo Alto Unit 42 – Out of the Crypt: The Evolving Cyber Extortion Economy

📰 Original Source
https://unit42.paloaltonetworks.com/cyber-extortion-economy/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →