Pure Extortion Replaces Traditional Ransomware: Data‑Theft‑Only Attacks Surge Across SaaS Providers
What Happened — Ransomware gangs are abandoning encryption‑based ransomware in favor of “pure extortion” attacks that steal data and threaten public disclosure. Recent high‑profile incidents (e.g., ShinyHunters exfiltrating 3.65 TB from Instructure’s Canvas LMS) illustrate the new playbook.
Why It Matters for TPRM —
- Extortion‑only attacks bypass many traditional controls (backups, EDR alerts) and can slip past standard ransomware detection.
- Data‑leak threats trigger regulatory, reputational, and contractual fallout that third‑party contracts may not cover.
- Vendors that store or process sensitive data are now prime targets, expanding the attack surface beyond endpoint encryption.
Who Is Affected — SaaS platforms, cloud‑hosted applications, learning‑management systems, and any third‑party service that retains customer data.
Recommended Actions —
- Re‑evaluate vendor risk questionnaires to include pure‑extortion scenarios and data‑leak response plans.
- Verify that vendors encrypt data at rest, enforce strict access controls, and have robust exfiltration detection.
- Update incident‑response playbooks to address public‑leak negotiations, regulatory notifications, and media handling.
Technical Notes — Attack vector shifts toward credential theft, long‑term footholds, and silent data exfiltration rather than ransomware payload delivery. No specific CVE is cited; the trend is driven by operational economics and improved defender tooling. Source: Security Affairs