A growing share of cyberattacks now skip encryption entirely. Attackers steal sensitive data and use the threat of exposure as leverage, leaving backup-based recovery strategies with no role to play.
For years, businesses treated solid backups and a tested recovery plan as adequate protection against ransomware. That approach made sense when attackers relied on encryption. They would lock the data, demand payment for the key, and count on the disruption to force compliance. As organizations improved their recovery capabilities, that model became less effective. Attackers adapted accordingly.
The Arctic Wolf 2026 Threat Report, as covered by HIPAA Journal, found that data extortion-only attacks increased elevenfold in just one year. Between November 2024 and November 2025, they grew from 2% of incident response cases to 22%. In this model, attackers gain access to a network, copy sensitive files, and threaten to publish that data unless the victim pays. No encryption occurs. Operations continue as normal. Backups are irrelevant.
Why Attackers Stopped Bothering with Encryption
As backup and recovery investments paid off, fewer victims needed to pay for decryption keys. Data extortion offers a different form of leverage. It threatens reputational, regulatory, and legal consequences from stolen data. A backup cannot resolve any of those.
Attackers gain initial access through a phishing email, a reused credential, or an unpatched vulnerability. Once inside, they move laterally using legitimate system tools, copy high-value files over days or weeks, and exit without triggering alerts. Threat groups including PEAR (Pure Extortion and Ransom) and Silent Ransom have adopted this model exclusively. They do not encrypt files. They rely entirely on the threat of exposure.
Why Data Exposure Carries Different Consequences Than Downtime
A business can restore its systems and resume production after an outage. Data exposure does not resolve once the organization closes the incident. The consequences can include breach notification obligations, regulatory review, and civil liability. In legal, accounting, healthcare, and financial advisory firms, a single exposure incident can permanently cost a firm its longest-standing clients. Once attackers copy the data, the risk persists regardless of how well recovery goes.
What a More Complete Security Posture Looks Like
Backups remain a sound component of any security program. The problem is treating them as a primary defense against data theft. That is not what they do. Organizations need additional controls that detect and limit unauthorized access before attackers remove data.
- Continuous monitoring for unusual access patterns provides the earliest opportunity to detect an active intrusion. This includes large file transfers during off-hours or access to sensitive directories by accounts that do not normally reach them.
- Least-privilege access controls limit how far a compromised credential can reach. This reduces the volume of data an attacker can exfiltrate from a single point of entry.
- Email security controls that go beyond spam filtering address a primary initial access vector. Monitoring for account takeover behavior and anomalous sending patterns helps catch compromised accounts early. Early detection prevents attackers from using those accounts as a foothold for deeper network access.
- Regular penetration testing identifies exploitable gaps before attackers find them. Trustwave’s research shows that only 32% of organizations conduct this consistently. Most have never independently verified how their defenses would hold up under real-world conditions.
A PRACTICAL STARTING POINT
A security assessment examines where sensitive data lives, who can access it, and what monitoring exists for unusual activity. That gives organizations a clearer picture of their actual exposure. Backups confirm what an organization can recover. An assessment identifies what is at risk and whether current controls can detect a data theft attempt before it succeeds.
Keep reading:
Why IT Problems Hit Some Businesses Harder Than Others
What a Penetration Test Is Really For
3 Signs Your Tech Team Is in Firefighting Mode—and How to Fix It