Extortion-only is a criminal model in which attackers focus on stealing data and pressuring the victim to pay, rather than encrypting files for a classic ransomware ransom. The threat usually comes from the promise of public leaks, sales of stolen data, or harassment of customers, partners, and regulators. This makes it different from encrypt-then-demand attacks: the damage is driven by exposure and reputational impact, not just loss of access.
This model matters because it changes both attacker behavior and defender priorities. Extortion-only groups often seek silent access, rapid data collection, and proof of theft such as archives, screenshots, or sample documents. Defenders should look for unusual logins, privilege abuse, archive creation, and abnormal outbound transfers. Since files may remain usable, teams can miss the intrusion if they only watch for encryption events. Effective response depends on verifying whether data actually left the environment, preserving logs, and hardening identity controls, segmentation, and egress monitoring.