May 23, 2025

How do you fight ransomware when there’s nothing left to restore?

Learn how to respond when ransomware attackers steal your data without encryption. Discover why backups won't save you and the essential legal, PR, and technical steps IT leaders must take to protect their organization from modern extortion attacks.

TL;DR

  • Backups don't matter: Attackers now steal data without encrypting files, making traditional recovery plans irrelevant.
  • Most still pay: 63% of organizations paid ransom despite having backups, with demands averaging $1.7 million in 2024.
  • Not just IT's problem: Legal, PR, and technical teams must respond together from the start.
  • Reputation at stake: The threat shifts from downtime to regulatory fines, lawsuits, and brand damage.
  • Stop theft, not recovery: Focus on preventing data exfiltration through DLP and Zero Trust architecture.

When backups become irrelevant

You've spent years perfecting your backup strategy. Immutable storage. Air-gapped copies. Tested recovery procedures. It's your insurance policy against ransomware—the foundation of your security posture and your sleep-at-night plan.

But what happens when attackers don't bother encrypting a single file?

Welcome to ransomware's evolution: pure extortion attacks that bypass your carefully constructed recovery plans entirely. These attacks represent a fundamental shift in tactics that's forcing IT leaders to completely rethink their incident response playbooks.

The new extortion landscape

The numbers tell a sobering story. In Q1 2025 alone, ransomware groups posted 74% more victims to data leak sites than in the same period last year. The MOVEit campaign offered an early preview of this future—Clop exploited a zero-day vulnerability not to encrypt files, but to quietly exfiltrate massive amounts of data from hundreds of organizations.

This isn't an anomaly—it's the new playbook.

The sectors most vulnerable are precisely those with the most to lose: healthcare (285 million patient records exposed between 2009-2024), financial services, and critical infrastructure (up 52% year-over-year). What's particularly unsettling is that these attacks often occur without operational disruption to alert you. The first sign might be an extortion email or your data appearing on a leak site.

From the attacker's perspective, pure extortion offers compelling advantages: lower technical barriers, easier monetization, and reduced attribution risk. When you encrypt files, victims can restore from backups. When you steal sensitive data, backups are irrelevant—the threat of exposure creates leverage regardless of your recovery capabilities.

The stakes and economics of data exposure

The financial realities are stark. In 2024, the average ransom demand for data-only extortion topped $1.7 million, up 32% from the prior year. More troubling: 63% of organizations hit by these "leakware" attacks paid at least some portion of the ransom.

Why are so many paying? Because the math has changed. When attackers encrypt your systems, the cost equation is relatively straightforward: downtime losses versus ransom payment. But when they steal sensitive data, the calculation becomes vastly more complex:

  • Regulatory fines that can reach into the millions
  • Class action lawsuits from affected customers
  • Lost business from reputational damage
  • Executive accountability (including potential termination)
  • Long-term brand erosion

Even without a single encrypted file, organizations hit by pure extortion attacks in 2024 averaged 13 days of major business disruption—not from technical recovery, but from the all-consuming process of assessment, communication, negotiation, and response.

The 2024 Trout Research report puts this in stark perspective: 84% of organizations hit by pure extortion attacks had full, tested backups. It made absolutely no difference to the outcome.

The question is no longer just "Can we restore our systems?" but "What happens when there's nothing to restore, and our most sensitive data is one click away from public exposure?"

Why your old playbook fails

The battle-tested ransomware response playbook has been clear for years: isolate affected systems, assess the damage, restore from backups, and get back to business. It's a technical problem with a technical solution. Or at least, it was.

Pure extortion attacks have fundamentally changed the game, rendering this traditional approach about as useful as bringing a fire extinguisher to a flood.

The backup fallacy

The hard truth is that your backup strategy—no matter how robust—is designed to solve a problem you're increasingly less likely to face.

Consider this sobering statistic from Trout Research: 84% of organizations hit by data-theft ransomware in 2024 had comprehensive, tested backup solutions in place. When the attacks came, those backups sat untouched. The attackers never encrypted a single file.

"We had a seven-figure backup and disaster recovery infrastructure," admitted the CIO of a midsize healthcare provider who faced this scenario. "It was completely irrelevant to the crisis we actually experienced."

This disconnect exists because the traditional playbook addresses system availability, not data confidentiality. When the threat shifts from "we've locked your data" to "we've stolen your data," the entire response paradigm must change.

The technical team that would normally be rebuilding systems instead finds themselves in unfamiliar territory: forensic investigation to determine what was taken, monitoring dark web forums for leaked data, and supporting legal and communications teams rather than restoring services.

The real impact beyond recovery

Pure extortion attacks create chaos that extends far beyond your technology stack:

Business disruption without technical failure. Organizations facing data extortion in 2024 experienced an average of 13 days of major business disruption, not because systems were down, but because the organization was consumed with crisis management. Executive teams pulled into emergency sessions. Legal teams assessing disclosure requirements. Communications teams preparing statements. All while systems continue running normally.

Reputation and trust become primary battlegrounds. When systems are encrypted, the impact is largely internal and temporary. When sensitive data is stolen, the damage is external and potentially permanent. Customer trust, once broken, doesn't restore as easily as a database.

Regulatory exposure creates complex timelines. Most data breach laws include mandatory reporting requirements with strict timelines—some as short as 72 hours. These legal obligations create immovable deadlines that your incident response team must meet, regardless of how the investigation is progressing.

The decision shifts from technical to strategic. In traditional ransomware, the decision framework is relatively straightforward: Can we restore from backups? How long will it take? What's the cost of downtime versus the ransom? With pure extortion, the calculus becomes vastly more complex, involving legal risk, brand impact, customer trust, and regulatory exposure.

This explains why, despite years of security experts advising against paying ransoms, 63% of organizations facing pure extortion attacks in 2024 paid at least partially. The decision wasn't driven by technical necessity but by a complex risk calculation that often landed on "pay to prevent exposure" as the least-bad option.

The uncomfortable reality is that your organization's response capabilities have likely been built around the wrong threat model. Your technical teams are prepared for service restoration, not data exposure management. Your playbooks focus on system recovery, not crisis communications. Your executive team is ready to approve emergency technical measures, not navigate the murky waters of extortion negotiation.

This gap between preparation and reality creates a dangerous vulnerability, not in your systems, but in your organization's ability to respond effectively when the attack doesn't follow the expected script.

The path forward isn't abandoning your existing security controls. It's expanding your concept of ransomware response beyond the technical realm and into the broader organizational capabilities needed to weather a crisis that's as much about communication, legal strategy, and reputation management as it is about technology.

Who do you call first?

When a pure extortion attack hits, the reflexive response is still to call the security team. It's understandable—this is ransomware, after all. But this instinct can lead to critical missteps in those first hours when the trajectory of your entire response is established.

The reality is that data theft ransomware requires a fundamentally different command structure than traditional attacks. The technical team remains essential, but they're no longer the sole or even primary responders.

The new first responders

The moment an extortion demand lands in your inbox, three teams need to mobilize simultaneously:

Legal counsel becomes your front line. Data breach notification laws create non-negotiable obligations with strict timelines. In many jurisdictions, the 72-hour clock starts ticking the moment you become aware of a potential breach, not when you confirm it. According to Harvard Business Review, 41% of U.S. firms reported that "legal missteps" during the initial response significantly worsened their breach aftermath.

Your legal team needs to immediately:

  • Assess which data privacy regulations apply based on the potentially exposed data
  • Determine mandatory reporting timelines to regulators
  • Establish attorney-client privilege protections for the investigation
  • Advise on ransom payment legality (which can vary by jurisdiction and attacker identity)

Communications becomes mission-critical. The narrative around the incident will form with or without your input. McKinsey found that 72% of companies that fared better in post-breach reputation surveys had a crisis communications plan in place before the incident occurred.

Your communications team must quickly:

  • Prepare holding statements for various scenarios
  • Establish communication channels for affected stakeholders
  • Brief executives on public messaging
  • Monitor social media and news coverage
  • Coordinate with legal on disclosure timing and content

Technical teams shift to forensic mode. Rather than restoration, your technical team's priorities become:

  • Forensic preservation of evidence
  • Determining what data was potentially accessed
  • Assessing how the attackers gained access
  • Monitoring for actual data leaks on the dark web and leak sites
  • Closing the security gaps that enabled the attack

This cross-functional approach isn't just about division of labor—it's about integrating perspectives that are essential to navigating the complex decision landscape of an extortion attack.

Real-world response coordination

The cross-functional nature of the response creates natural friction points that need to be actively managed:

Legal vs. Communications tension. Legal counsel typically prefers saying as little as possible, while communications teams push for transparency. This tension needs to be managed through pre-established protocols about who has final approval authority.

Technical reality vs. Business pressure. Technical teams need time for a thorough investigation, while business leaders want immediate answers about the exposure scope. Setting expectations about what can be known with certainty in the early hours is crucial.

Payment decision complexity. The decision to pay or not pay involves legal, ethical, financial, and practical considerations that cross multiple domains. Clear decision authority needs to be established before the crisis, not during it.

Organizations that have successfully navigated pure extortion attacks typically establish a cross-functional incident command structure with:

  • Clear roles and decision authorities
  • Regular synchronization meetings
  • Shared information dashboards
  • Unified communication channels
  • Pre-established escalation paths

The technical team's new mission

While legal and communications take center stage in many aspects of the response, the technical team's role remains vital but transformed:

Forensic investigation becomes the priority. Determining what data was potentially accessed, when, and how becomes the central technical question, not system restoration.

Attackers often bluff. According to Unit 42 research, 29% of extortion cases in 2024 involved exaggerated claims about what data was stolen. Technical teams need to validate attacker claims rather than accepting them at face value.

Containment without disruption. The technical challenge shifts to closing security gaps without disrupting ongoing operations, often a more delicate operation than the "pull the plug" approach used in encryption attacks.

Evidence preservation. Every action taken must consider potential legal proceedings, insurance claims, and regulatory investigations that may follow.

This shift requires technical teams to develop new skills and partnerships. Many organizations find their technical responders unprepared for forensic investigation or unfamiliar with chain-of-custody requirements for evidence preservation.

The cross-functional nature of pure extortion response represents perhaps the greatest challenge for IT leaders accustomed to technical problems with technical solutions. Success requires not just technical expertise but the ability to integrate legal, communications, and business perspectives into a coherent response, often under extreme time pressure and scrutiny.

Organizations that recognize this reality and prepare accordingly find themselves not just better equipped to handle the technical aspects of an attack but better positioned to navigate the complex human, legal, and reputational dimensions that ultimately determine whether an incident becomes a manageable event or an existential crisis.

How to get ahead

The shift to data-theft ransomware isn't just a tactical challenge—it's a strategic inflection point that requires rethinking your entire security posture. Organizations that successfully navigate this new threat landscape are making fundamental changes to how they prepare, who they involve, and what they prioritize.

Build a cross-functional defense

The most effective defense against pure extortion attacks starts long before the threat arrives. It requires breaking down the traditional silos between technical security, legal, communications, and executive leadership.

Rewrite your incident response plan. Your existing ransomware playbook likely focuses on system recovery. It needs to be completely revamped to address data exposure scenarios, with clear roles for legal, communications, and executive teams from the first moment of detection.

Conduct realistic tabletop exercises. These shouldn't just test technical response—they should force your organization to work through the hard questions:

  • How quickly can legal determine our notification obligations?
  • What's our communications strategy if sensitive customer data is threatened?
  • Who has the authority to make payment decisions?
  • How do we balance investigation thoroughness against notification timelines?

According to Gartner, organizations that conduct quarterly cross-functional exercises respond up to 70% more effectively during actual incidents. The muscle memory developed during these exercises proves invaluable when real crises hit.

Establish a data-aware security strategy. Pure extortion attacks succeed when they target your most sensitive data. A data-centric security approach focuses protection efforts where they matter most:

  • Implement data discovery and classification
  • Deploy data loss prevention (DLP) tools with actual enforcement
  • Create least-privilege access controls around sensitive information
  • Segment networks to contain lateral movement
  • Monitor for unusual data access or exfiltration patterns

Engage the board and executive team now

The stakes of pure extortion attacks—regulatory penalties, reputational damage, and legal liability—elevate these incidents to board-level concerns. Effective IT leaders are proactively engaging their executive teams before incidents occur.

Educate on the changing threat landscape. Many executives still think of ransomware as primarily a technical problem solved by backups. They need to understand that the game has changed.

Secure resources for prevention. Data-centric security controls often require significant investment. Making the business case requires framing these investments in terms of risk reduction against specific business-relevant scenarios.

Establish decision frameworks in advance. When an extortion demand arrives, the organization will face complex decisions under extreme time pressure. Having established frameworks for evaluating options, including whether to pay ransom, prevents decision paralysis during a crisis.

The payment question

Perhaps no aspect of ransomware response generates more debate than whether to pay. With pure extortion attacks, this question becomes even more complex.

The official guidance remains clear. The FBI and most security experts continue to recommend against payment. Their reasoning: payment encourages future attacks, doesn't guarantee data deletion, and may violate sanctions depending on the threat actor.

The reality is more nuanced. The 63% payment rate for pure extortion attacks reveals that many organizations make different calculations when facing actual exposure. MIT Sloan research found that payment decisions typically hinge on:

  • The sensitivity of the exposed data
  • Regulatory and legal exposure
  • Technical ability to verify what was actually taken
  • Insurance coverage for payments
  • Organizational risk tolerance

Rather than making this decision during a crisis, forward-thinking organizations are establishing clear guidelines that consider:

  • What types of data would trigger payment consideration
  • Who has decision authority at different ransom amounts
  • What verification would be required from attackers
  • How would payment be technically executed if approved

Insurance considerations are changing. Many cyber insurance policies cover ransom payments, but the landscape is shifting. Insurers are increasingly requiring specific security controls as prerequisites for coverage, and some are limiting payment coverage altogether.

Prevention remains the best defense

While response capabilities are crucial, the reality remains that preventing data theft is vastly preferable to managing its aftermath.

Focus on the kill chain. Pure extortion attacks still require attackers to gain initial access, establish persistence, move laterally, and exfiltrate data. Disrupting any stage of this chain prevents the attack.

Prioritize identity protection. Compromised credentials remain the primary initial access vector. Implementing phishing-resistant MFA, privileged access management, and just-in-time access significantly reduces this risk.

Monitor for data movement. Many organizations have robust perimeter defenses but limited visibility into data exfiltration. Implementing tools that specifically monitor for unusual data movement patterns can provide early warning of theft attempts.

Test your defenses. Regular penetration testing with a specific focus on data exfiltration paths helps identify vulnerabilities before attackers exploit them.

The organizations best positioned to weather the pure extortion storm are those making fundamental shifts in how they think about ransomware, moving from a technical recovery challenge to a multifaceted organizational risk requiring integrated technical, legal, communications, and executive response.

Instead of spending years perfecting the ability to recover from encryption, build the same muscle for something much harder—responding effectively when there's nothing to restore, and everything to lose.

FAQs

Does pure extortion ransomware actually encrypt any files?

No, pure extortion ransomware doesn't encrypt files at all. Attackers simply steal sensitive data and threaten to publish it unless paid. This is why backups don't help—your systems continue running normally, but your data is in unauthorized hands. According to 2024 research, nearly 39% of ransomware campaigns now focus solely on data theft without encryption, a rapidly growing trend as attackers recognize its effectiveness against traditional defenses.

Should we pay the ransom in a data theft extortion attack?

While the FBI officially recommends against payment, 63% of organizations hit by pure extortion in 2024 paid at least partially. Key considerations include: data sensitivity, potential regulatory fines, legal liability, reputational damage, and sanctions compliance. The best approach is to establish a decision framework before an incident occurs, with clear criteria and authority chains. Remember that payment doesn't guarantee attackers will delete your data or honor their promises.

Are we legally required to report a data theft extortion attack?

Yes, in most cases. Data breach laws typically apply when sensitive information is accessed by unauthorized parties, regardless of encryption. Most regulations require notification within specific timeframes (often 72 hours or less) after discovery. Requirements vary by jurisdiction and data type, with stricter rules for healthcare, financial, and personal information. Legal counsel should be involved immediately to navigate these complex obligations.

How can we prevent pure extortion attacks if backups don't help?

Prevention requires a data-centric approach focused on stopping theft rather than enabling recovery. Key strategies include: implementing data loss prevention (DLP) tools; adopting Zero Trust architecture; deploying network segmentation; strengthening identity protection with phishing-resistant MFA; and regularly testing defenses through targeted penetration testing. Organizations implementing these layered defenses can reduce successful data theft risk by up to 70%, even against sophisticated attackers.

How do we know what data was actually stolen during an attack?

Attackers often exaggerate what they've stolen. According to 2024 research, approximately 29% of extortion cases involved inflated or false claims about stolen data. Forensic investigation should examine access logs, network traffic, and file access patterns to determine what was potentially accessed. Organizations should also monitor dark web forums and leak sites for evidence of their data. This validation is critical for making informed decisions about notifications, ransom payment, and communications strategy.

Read more about the topic
View all articles
Unlocking Time Efficiency for Tech Leaders: Strategies That Drive Productivity and Innovation

In today's digital era, time efficiency is more than a buzzword—it's a critical component of successful tech leadership. Time is a currency. As the pace of technological advancement accelerates, tech leaders are increasingly seeking strategies to optimize their time, ensuring they can meet the demands of innovation while maintaining operational excellence. This guide explores proven strategies for time efficiency, focusing on the strategic integration of technology and process optimization, culminating in the strategic use of platforms like TechnologyMatch.com for tech procurement.

Read more

Evolution of the IT Leader: How Do You Measure Up?

The evolution of technology into its central and pivotal role in our collective lives today has proven an ascent that many of us couldn’t have predicted.

Read more

The Evolution of B2B Lead Generation: How It's Changed and Where It's Heading

The B2B lead generation landscape has dramatically shifted over the past few decades. With Millennials and Gen Z now dominating the IT buyer demographic, traditional sales tactics are becoming increasingly ineffective. This generational shift presents a clear preference for self-service, transparent pricing, and user reviews, yet many tech companies continue to rely on outdated methods. This blog explores the urgent need for tech companies to adapt their lead generation approaches to align with modern IT buyer preferences and the future of technology procurement.

Read more

Home
About
Blog
Press
Contact Us

©  2025 Technology Match