INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Cyber Extortion Economy Evolving

| 2026-05-27 22:00 CRITICAL HIGH
JSON
Executive Summary AI-generated
The threat landscape is shifting, with a notable decrease in the use of encryption for extortion-related cases. This trend has been observed by various security organizations, including Google, which reported a gradual rise in data theft and extortion incidents from approximately 2% in 2020 to 15% in 2025. Resilience also increased significantly, with an increase in extortion-only incidents from 49% in the first half of 2023 to 65% in the second half. This shift suggests that threat actors are moving away from using ransomware and towards pure data theft and extortion methods, exploiting vulnerabilities such as software-as-a-service (SaaS) applications and Oracle EBS vulnerabilities.
Technical Mitigations AI-generated
• Implement robust backup and recovery processes to ensure routine re-imaging and restoration. • Enhance endpoint maturity through automated disruption efficacy measures. • Utilize exfiltration speed as a key factor in threat actors' decision-making, prioritizing data-only extortion campaigns.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
LAPSUS$LAPSUS$ Shai-HuludShai-Hulud
Target & Sectors
NORTH_AMERICA NORTH_AMERICA MIDDLE_EAST MIDDLE_EAST EUROPE EUROPE mediamedia healthcarehealthcare manufacturingmanufacturing defensedefense
Incident Timeline
‎2025/05/27
Threat actors used encryption to target the Global Incident Response Report.
tactic Extortion
Shifting Threat Landscape Observations As detailed in our 2026 Global Incident Response Report , Unit 42 observed a notable decrease in the use of encryption for extortion-related cases last year.
organisation Global Incident Response Report
Shifting Threat Landscape Observations As detailed in our 2026 Global Incident Response Report , Unit 42 observed a notable decrease in the use of encryption for extortion-related cases last year.
‎at least late 2025
Threat actors used a T1195 supply chain compromise to gain initial access via the exploitation of software vulnerabilities in TGR-CRI-1135.
organisation Initial Access
Initial Access via Software Supply Chain Compromise TGR-CRI-1135 (aka TeamPCP) has been active since at least late 2025.
tactic T1592.002 - Software
Initial Access via Software Supply Chain Compromise TGR-CRI-1135 (aka TeamPCP) has been active since at least late 2025.
tactic T1195 - Supply Chain Compromise
Initial Access via Software Supply Chain Compromise TGR-CRI-1135 (aka TeamPCP) has been active since at least late 2025.
organisation TGR-CRI-1135
Initial Access via Software Supply Chain Compromise TGR-CRI-1135 (aka TeamPCP) has been active since at least late 2025.
‎March 25, 2026
HasanBroker's BreachForums posted a screenshot on March 25, 2026, indicating they had gained access to the system.
organisation HasanBroker’s BreachForums
Screenshot from HasanBroker’s BreachForums post on March 25, 2026.
‎May 11, 2026
The attackers behind CL-CRI-1116 used a Tor-based data leak site to communicate with victims and maintain their communication channel.
tactic Data Leak
Screenshot from BlackFile data leak site post on May 11, 2026.
threat_actor LAPSUS$
Screenshot from scattered LAPSUS$ hunters part 7 chat on May 11, 2026.
general_metric 7 part
Screenshot from scattered LAPSUS$ hunters part 7 chat on May 11, 2026.
organisation Tor
The operators still use the same Tox ID to communicate with victims and also maintain a Tor-based data leak site.
organisation MFA
They continue to use vishing for initial access, directing unsuspecting victims to phishing sites designed to intercept user credentials and multifactor authentication (MFA) codes and ultimately registering their own devices to establish persistence within targeted environments.
organisation Telegram
Source: Telegram.
organisation CL-CRI-1116
On the flip side, an activity cluster tracked by Unit 42 as CL-CRI-1116, which overlaps with public reporting on BlackFile, has followed a similar pattern of activity in terms of a playbook-driven approach with some subtle and not so subtle nuances.
organisation BlackFile
On the flip side, an activity cluster tracked by Unit 42 as CL-CRI-1116, which overlaps with public reporting on BlackFile, has followed a similar pattern of activity in terms of a playbook-driven approach with some subtle and not so subtle nuances.
‎May 13, 2026
Threat actors used Shai-Hulud to distribute an open source version of the ransomware on BreachForums.
malware Shai-Hulud
On May 13, 2026, TGR-CRI-1135 announced the release of an open source version of Shai-Hulud on BreachForums as shown in Figure 3.
‎May 19, 2026
Threat actors used AI models like Mythos to target organizations, exploiting approximately 23,000 potential vulnerabilities across open source software projects in recent weeks.
tactic Data Leak
Screenshot from BlackFile data leak site post on May 19, 2026.
organisation Frontier AI Defense
Unit 42 Frontier AI Defense is an elite service that uses access to frontier models to identify your organization's likely attack paths before attackers can weaponize them.
organisation Identity and Vishing Resilience
Identity and Vishing Resilience Migrate from OTP-based MFA to phishing-resistant authentication (FIDO2/WebAuthn hardware keys).
organisation OTP
Identity and Vishing Resilience Migrate from OTP-based MFA to phishing-resistant authentication (FIDO2/WebAuthn hardware keys).
organisation WebAuthn
Identity and Vishing Resilience Migrate from OTP-based MFA to phishing-resistant authentication (FIDO2/WebAuthn hardware keys).
organisation Supply Chain Integrity Implement
Software Supply Chain Integrity Implement software composition analysis (SCA) and dependency pinning in CI/CD pipelines.
organisation SCA
Software Supply Chain Integrity Implement software composition analysis (SCA) and dependency pinning in CI/CD pipelines.
organisation Looking Forward In
Looking Forward In recent weeks, Palo Alto Networks has been at the forefront of providing guidance to organizations on how to secure their environments from the inevitable weaponization of frontier AI models like Mythos by threat actors.
organisation Palo Alto Networks
Looking Forward In recent weeks, Palo Alto Networks has been at the forefront of providing guidance to organizations on how to secure their environments from the inevitable weaponization of frontier AI models like Mythos by threat actors.
organisation CI
This would compound the already complex problem of organizations trying to secure their application development and CI/CD pipelines from these types of attacks.
organisation Security Posture Management Audit
Security Posture Management Audit OAuth token grants, third-party app integrations, and API permissions across SaaS platforms.
organisation API
Security Posture Management Audit OAuth token grants, third-party app integrations, and API permissions across SaaS platforms.
organisation Enforce
Enforce conditional access policies that restrict SaaS sessions by device compliance, location, and risk score.
organisation Rotate
Rotate and vault all secrets exposed to CI/CD environments.
organisation AI-Accelerated Threat
AI-Accelerated Threat Preparedness Pressure-test detection and response capabilities against compressed attack timelines.
organisation Deploy
Deploy voice authentication and call verification controls for inbound calls.
‎May 21, 2026
Threat actors used Initial Access via Vishing to target SaaS tenants.
threat_actor LAPSUS$
Screenshot of LAPSUS$ DLS post on May 21, 2026.
The operators have distanced themselves from the cybercriminal alliance known as Scattered LAPSUS$ Hunters based on a Telegram message shown in Figure 5.
organisation Resolute’s BreachForums
Screenshot from Resolute’s BreachForums post on May 21, 2026.
organisation Initial Access via Vishing
Initial Access via Vishing Bling Libra continues their rampage of infiltrating customer SaaS tenants for data theft and extortion operations, which Unit 42 reported on extensively in 2025 .
organisation BreachForums
Source: Dark Web Informer. On the RaaS front, they have been working with the operators of Vect ransomware based on communications observed via the BreachForums cybercrime forum as shown in Figure 2.
organisation Vect
Unit 42 is also aware of claims by one of Vect’s affiliates, the Rostova Organization , that they are also partnering with TGR-CRI-1135.
organisation the Rostova Organization
Unit 42 is also aware of claims by one of Vect’s affiliates, the Rostova Organization , that they are also partnering with TGR-CRI-1135.
‎between 2021-2024
Threat actors used a ransomware attack to extort cryptocurrency from the majority of individuals in the 2021-2024 period.
general_metric 78 %
The total percentage in 2025 dropped to 78%, much lower than the near-or-above-90% levels observed between 2021-2024.
‎2026/05/27
Threat actors used a software-as-a-service (SaaS) application to target Professional Services firms, exploiting an Oracle EBS vulnerability.
organisation Professional Services
In 2025, pure data-exfiltration campaigns heavily targeted Professional Services, Healthcare and Consumer Services firms with threat actors specifically focused on mid-sized organizations accounting for 64% of victims.
organisation Consumer Services
In 2025, pure data-exfiltration campaigns heavily targeted Professional Services, Healthcare and Consumer Services firms with threat actors specifically focused on mid-sized organizations accounting for 64% of victims.
organisation Construction
Interestingly, while Manufacturing remains the single most disrupted sector overall, Construction has witnessed a 44% year-over-year increase as a data-only extortion hotspot .
organisation Google
Other security organizations have seen similar trends, with Google reporting a gradual rise in data theft and extortion incidents from approximately 2% in 2020 to 15% in 2025.
organisation ShinyHunters
Threat actors tracked by Unit 42 that have demonstrated a willingness to shift away from using ransomware to pure data theft and extortion include Bling Libra’s (aka ShinyHunters) focus on software-as-a-service (SaaS) applications and Hazy Scorpius’s (aka CLOP) exploitation of an Oracle EBS vulnerability .
organisation Differences in Extortion Operations Unit
Differences in Extortion Operations Unit 42 is actively monitoring several threat actors that are continuously conducting data theft and extortion operations.
organisation EaaS
On the EaaS front, they have been collaborating with the operators of LAPSUS$ Group to extort targeted organizations via their data leak site as shown below in Figure 1.
threat_actor LAPSUS$
On the EaaS front, they have been collaborating with the operators of LAPSUS$ Group to extort targeted organizations via their data leak site as shown below in Figure 1.
organisation SEC
Strict mandates like the SEC's 4-day disclosure window and GDPR’s 72-hour reporting rule have created a regulatory countdown clock, allowing threat actors to force rapid negotiations before organizations can complete internal assessments.
organisation GDPR
Strict mandates like the SEC's 4-day disclosure window and GDPR’s 72-hour reporting rule have created a regulatory countdown clock, allowing threat actors to force rapid negotiations before organizations can complete internal assessments.
organisation SSH
We previously reported on the group’s activities earlier this year and how their malware was able to successfully exfiltrate sensitive secrets (cloud access tokens, SSH keys, Kubernetes secrets) from victims.
organisation Kubernetes
We previously reported on the group’s activities earlier this year and how their malware was able to successfully exfiltrate sensitive secrets (cloud access tokens, SSH keys, Kubernetes secrets) from victims.
Intelligence Sources
Palo Alto 2026-05-27
Palo Alto 2026-05-27