Out of the Crypt: The Evolving Cyber Extortion Economy
Unit 42 reports a structural shift in the cyber extortion economy: encryption-based ransomware dropped to 78% of cases in 2025 (from 90%+ in prior years), with pure data-theft extortion rising sharply — driven by improved backup/recovery capabilities, endpoint defenses, and threat actors weaponizing regulatory compliance deadlines (SEC’s 4-day and GDPR’s 72-hour disclosure windows). TGR-CRI-1135 (TeamPCP) is highlighted as a key actor conducting supply chain attacks injecting malicious code into 500+ software packages to exfiltrate cloud tokens, SSH keys, and Kubernetes secrets. The group monetizes via partnerships with LAPSUS$ (EaaS) and Vect (RaaS), and released their Shai-Hulud tool as open source on BreachForums in May 2026, complicating future attribution. Mid-sized Professional Services, Healthcare, and Construction firms are primary targets, with average extortion costs reaching $5.08M.