The Rising Threat of Encryption-less Ransomware Attacks

Rachael Shah Thumbnail
Rachael Shah
Published October 12, 2023

At the turn of the new year, there was a glimmer of hope organizations might be gaining an upper hand in the battle against ransomware. After a tumultuous 2021 that was marked by a surge in sophisticated, high-impact attacks, stats seemed promising. Ransomware’s share of incidents declined from 21% in 2021 to 17% in 2022. And ransomware payments fell from $765.6 million to $456.8 million.

There was cautious optimism that perhaps the worst was behind us. But as 2023 unfolded, a harsh reality set in. In the ever-evolving threat landscape, ransomware continued to wreak havoc and take on a new twist. While the practice of encrypting data and holding it hostage had defined ransomware attacks for years, cybercriminals introduced yet another technique to their arsenal: encryption-less attacks.

Evolution of Ransomware

Ransomware attacks have been a menace to enterprises for years. In the early days, cybercriminals typically infiltrated a victim’s system, encrypted valuable data using strong encryption methods, and then demanded a ransom in exchange for the decryption key. The victim’s dilemma was rather straightforward: pay the ransom or risk losing access to critical data.

To maintain their effectiveness, ransomware gangs then went on to innovate different tactics. For instance, double extortion, which not only encrypts your data but also threatens to publicly expose stolen information or sell it on the dark web, hit the scene with its first high-profile case in 2019. And shortly after, triple extortion, which takes double extortion one step further, leveraging sensitive information about customers, relatives, or other entities related to the victim, started making news in 2020.

Encryption-less Attacks

Fast forward to today, ransomware cybercriminals are still continuing to evolve their strategies. It’s become commonplace for enterprises to maintain backups of their data, and decryptor tools are being created to neutralize ransomware variants. So, rather than go through the time-consuming process of encrypting data, threat actors are skipping it altogether. They focus on gaining access to sensitive data and threatening to release it to the public or auction it off.

An encryption-less attack relies more on psychological pressure to coerce victims to pay the ransom. Its speed, simplicity, and reduced technical complexity compared to encryption-based attacks make this technique concerning.

Certain implications of encryption-less attacks can range from:

  • Faster ransom demands. With encryption-less attacks, cybercriminals can demand a ransom more quickly since they cut out the encryption step. Victims find themselves under significant pressure to pay up to prevent their data from being exposed.
  • Reputation damage. The mere threat of data exposure can have a severe impact on businesses. Stolen sensitive information, including customer data, financial records, or intellectual property, can lead to substantial trust issues among customers, partners, and the public.
  • Regulatory consequences. Enterprises that handle personal or sensitive data are subject to various government and industry data protection regulations. In the event of a data breach, hefty fines and legal repercussions can compound the financial impact, making the situation even more challenging to navigate.


One example of a cybercriminal group pivoting to encryption-less ransomware is BianLian. According to a cybersecurity advisory released by the FBI, CISA, and Australian Cyber Security Centre, BianLian has been targeting critical infrastructure and organizations across the U.S. and Australia since June 2022.

The threat group originally leveraged a double extortion model but, starting earlier this year, has primarily shifted to exfiltration-based extortion.

Recently, BianLian has purportedly targeted Save the Children. The group claims to have stolen 6.8 TB of data from the non-profit, including financial, personal, and medical information. As of September, the investigation was still ongoing.

Protecting Your Enterprise

Predictions indicate ransomware will cost victims roughly $265 billion annually by 2031. Enterprises must be proactive and establish a zero-trust security framework to effectively confront both encryption-less attacks and the evolving ransomware threat landscape.

The guiding principle behind zero trust is: don't blindly trust; always verify. Today, nearly 90% of all Internet traffic is encrypted, and most malware and threats are hidden in encrypted traffic. If you want to keep your apps, data, and organization protected against malware like ransomware—and achieve a comprehensive zero-trust environment—you can’t afford to be blind to encryption.

F5 BIG-IP SSL Orchestrator delivers high-performance decryption of inbound and outbound encrypted traffic, enabling your existing security investments to expose threats and stop ransomware attack chains before they can reach your servers and user devices. With its full proxy architecture and dynamic service chaining, BIG-IP SSL Orchestrator maximizes the usage of your security devices by letting them concentrate on the areas where they can best protect your organization.

To learn more about how BIG-IP SSL Orchestrator provides robust decryption/re-encryption and orchestration of encrypted traffic to help mitigate ransomware and other encrypted threats, click here.