Ransomware Groups Are Skipping Encryption and Just Stealing Your Data
Kaspersky's 2026 report shows ransomware groups now steal data instead of encrypting it. Backups alone won't protect your business.
Ransomware groups have changed their playbook. According to Kaspersky’s 2026 State of Ransomware report, published for International Anti-Ransomware Day, a growing number of groups are abandoning file encryption entirely. Instead, they steal sensitive data and threaten to publish it unless the victim pays. If your ransomware defense strategy starts and ends with backups, that strategy has a gap that attackers are already exploiting.
Encryption Is Out, Data Theft Is In
For years, the standard ransomware attack followed a predictable pattern: encrypt the victim’s files, demand payment for the decryption key, and wait. Backups were the best defense. If you could restore your systems from clean backups, you could refuse to pay and get back to work.
That model is fading. Groups like ShinyHunters now operate as pure data-theft-and-extortion operations. They break into a network, exfiltrate everything valuable (customer records, financial data, employee information, intellectual property), and then contact the victim with a simple threat: pay up, or we publish everything.
Restoring from backup does nothing to address this. The attacker doesn’t care whether your systems are running. The pressure is the data itself, not your ability to access it. Kaspersky’s report describes this as a fundamental strategic shift, not a niche tactic used by a handful of groups.
Huntress’s ransomware statistics reinforce the trend: SMBs are the primary targets, and the attacks are becoming more efficient. Attackers spend less time inside networks because they don’t need to deploy encryption payloads across every endpoint. They grab the data and get out.
Attackers Are Disabling Your Security Tools First
The Kaspersky report documents another development that makes this worse: EDR killers have become a standard pre-attack step. Attackers now routinely use a technique called Bring Your Own Vulnerable Driver (BYOVD) to disable endpoint detection and response tools before stealing data.
The technique works by loading a legitimate but vulnerable driver onto the target system, then exploiting that driver to gain kernel-level access. From there, the attacker can shut down security software without triggering alerts. This isn’t a theoretical risk. Kaspersky’s report identifies it as a planned, repeatable phase in the attack lifecycle that multiple groups have adopted.
If your EDR tool is the only thing standing between an attacker and your data, BYOVD can remove it from the equation entirely. EDR alone is not enough, and this trend makes that gap even more urgent.
The other finding worth paying attention to: RDWeb portals have become a preferred initial access vector. Many SMBs expose Remote Desktop Web Access to the internet for employee remote access. Initial access brokers are scanning for these portals, compromising credentials, and selling that access to ransomware operators. If your organization has an internet-facing RDWeb portal, it should be behind a VPN with multi-factor authentication at minimum.
What SMBs Actually Need Now
The shift from encryption to data theft means your defensive priorities need to shift too. Backups remain essential for operational resilience, but they’re no longer a ransomware defense on their own. Here’s what should be in place:
Data Loss Prevention (DLP): DLP tools monitor for unauthorized data transfers. They can detect and block large-scale data exfiltration attempts, which is exactly what these attackers are doing. If 50 GB of files are being copied to an external destination at 2 AM, DLP is what catches it.
Network Segmentation: If an attacker gains access to one part of your network, segmentation limits how far they can move and what data they can reach. A flat network where every system can talk to every other system gives attackers access to everything once they’re inside. Segmentation and data protection controls contain the blast radius.
Data Classification: You can’t protect what you haven’t identified. Knowing where your sensitive data lives (customer PII, financial records, health information, trade secrets) determines where your monitoring and access controls need to be strongest.
Exfiltration Monitoring: Your SOC should be monitoring for unusual outbound data transfers, not just inbound threats. Large file transfers to unfamiliar destinations, unusual use of cloud storage services, and spikes in outbound traffic at odd hours are all indicators of data theft in progress.
The Regulatory Cost of Stolen Data
When ransomware attackers encrypted files, the damage was primarily operational: downtime, recovery costs, and lost productivity. When they steal data instead, the damage expands into regulatory territory.
If stolen data includes protected health information, you’re facing HIPAA breach notification requirements and potential fines. If it includes Texas consumer data, the Texas Data Privacy and Security Act (TDPSA) creates additional obligations and penalties. PCI DSS applies if payment card data is involved. The regulatory cost of a breach compounds quickly when the stolen data falls under multiple frameworks.
This is where data theft extortion gets especially painful for SMBs in regulated industries like healthcare, financial services, and legal. Even if you refuse to pay the ransom, the public exposure of that data triggers compliance violations that carry their own financial consequences.
Three Questions to Ask Your IT Provider This Week
Whether you manage IT internally or work with a managed security provider, these three questions will tell you whether your defenses have kept pace with the shift to data theft:
“Do we have any way to detect large-scale data exfiltration from our network?” If the answer is no, or “we’d see it in the firewall logs eventually,” you have a gap. Active monitoring for unusual outbound transfers is the minimum standard now.
“Is our network segmented so that a single compromised account can’t access all our sensitive data?” Many SMB networks are flat by default. If an attacker with one set of stolen credentials can reach your file shares, email, financial systems, and customer database, segmentation should be a priority.
“What happens if an attacker disables our EDR tools before stealing data?” Your provider should be able to explain what additional detection layers exist beyond endpoint protection. 24/7 SOC monitoring, SIEM integration, and tamper-detection alerts are all reasonable answers. “That shouldn’t happen” is not.
Need Help With Data Theft Protection?
Our team can assess your defenses against modern ransomware tactics and close the gaps attackers are exploiting right now.
Get a Free AssessmentRansomware isn’t the same threat it was two years ago. The groups that used to lock your files now skip that step and go straight for your data. Backups are still a critical part of any IT strategy, but they solve a different problem than the one these attackers are creating. The defenses that matter now are the ones that detect and prevent data from leaving your network in the first place.