Out of the Crypt: The Evolving Cyber Extortion Economy

Unit 42 reports a notable industry trend in 2025–2026 toward data-only extortion and theft—driven by better backups, endpoint maturity, and regulatory pressure—profiling active groups (e.g., TGR-CRI-1135/TeamPCP, Bling Libra, CL-CRI-1116), supply-chain compromises affecting hundreds of software packages, vishing-based SaaS intrusions, data leak sites and RaaS/EaaS collaborations, rapid exfiltration timelines (as fast as 39 seconds and AI-accelerated cases), sector targeting of mid-sized Professional Services, Healthcare and Consumer Services, and recommended controls for DLP, SaaS posture, identity resilience, supply-chain integrity, and AI-threat preparedness.