RackTop Systems
Threat Brief

Extortion without encryption: the steal-and-leak business model

A growing share of extortion groups no longer bother encrypting anything. They steal files and threaten to publish them — a model that makes backups irrelevant and puts all the weight on stopping the theft itself.

RackTop SystemsJune 30, 20262 min read

Key takeaways

  • Several major extortion operations have dropped ransomware payloads entirely in favor of data theft.
  • Steal-and-leak defeats recovery-centric defenses: there is nothing to restore.
  • The decisive control moves upstream — detecting and stopping bulk reads on production data.

For years, the ransomware economy ran on encryption: lock the systems, sell the key. Then defenders got better at recovery — immutable backups, isolated vaults, rehearsed restores — and the criminals adapted. First came double extortion, stealing data before encrypting it. The next step was to drop the encryption altogether. Groups like World Leaks operate purely on theft: exfiltrate the files, name the victim on a leak site, and charge for silence.

From the attacker’s side, the logic is sound. Encryption is noisy, increasingly detected mid-run, and invites law-enforcement pressure. Reading files with a valid credential is quiet, and the leverage — regulatory exposure, customer IP, employee identity documents — is just as strong. In some sectors it is stronger: a manufacturer can rebuild servers, but it cannot un-publish a customer’s designs.

What this breaks in the standard defense

Recovery-centric programs assume the harm is downtime. Steal-and-leak inverts that: there may be no downtime at all, and the first sign of trouble is your name on a leak site. Backups, vaults, and restore runbooks — all still necessary for the attacks that do encrypt — contribute nothing here.

The controls that matter are the ones that act while the theft is in progress. Behavioral detection on live file activity, so a session reading far outside its normal pattern is stopped mid-stream. Least-privilege access evaluated per operation, so one credential cannot reach everything. And an immutable audit trail, so if data does leave, you know precisely what left — which converts a worst-case disclosure into a bounded one.

The question to ask your storage

Steal-and-leak is, in the end, a storage workload: a long sequence of reads. The defining question for any file platform is whether it would notice. If the honest answer is that ten thousand reads by one account looks the same as one, the extortion model works. If the storage recognizes the pattern and terminates the session, it does not.

See data-layer defense in action

A 30-minute demo shows Active Defense stopping an attack inline, immutable recovery, and surgical rollback — mapped to your environment.

Data Theft Extortion: The Steal-and-Leak Ransomware Model | RackTop Systems