Ransomware crews that once focused on locking files and demanding payment have shifted tactics. They now routinely steal sensitive data before deploying encryption, turning what used to be a recovery problem into a full-blown data breach. A joint advisory from CISA and its federal partners on the Play ransomware group describes a workflow in which attackers exfiltrate files first, encrypt systems second, and then threaten to publish the stolen records if the victim refuses to pay. That sequence means an organization with perfect backups can restore every server and still face regulatory exposure, mandatory notification obligations, and lasting reputational damage from data already in criminal hands.
Why data theft before encryption changes the calculus for defenders
For years, the standard advice for ransomware preparedness centered on offline backups and tested restoration procedures. That guidance assumed the primary harm was operational disruption: locked files, halted production, lost revenue during downtime. Once backups were restored, the crisis was largely over. The shift to pre-encryption exfiltration breaks that assumption. When attackers copy customer records, employee files, health data, or financial documents before flipping the encryption switch, the damage is already done by the time the ransom note appears.
The CISA advisory on Play ransomware spells out a kill chain that begins with data theft and ends with leak threats. The advisory, published jointly with FBI and other U.S. government partners, documents how the group gains access, moves laterally, stages files for exfiltration, and only then encrypts the environment. Leak threats follow encryption, giving the attacker two separate pressure points: pay to unlock your systems, and pay again to keep your data off the internet.
This two-stage extortion model creates a gap that backups cannot close. Restoring encrypted files addresses availability. It does nothing about confidentiality. If protected health information, Social Security numbers, or trade secrets have already left the network, the organization faces breach-notification requirements regardless of how quickly it recovers operations. The practical test is straightforward: did data leave the organization’s control? If yes, disclosure obligations kick in under federal and state laws, and no amount of backup restoration changes that answer.
The hypothesis that organizations adding exfiltration detection to their incident plans will trigger fewer mandatory breach notifications than those relying only on backup restoration follows directly from this logic. If a security team can identify and stop data theft in progress, the stolen-data trigger for notification never fires. If the team only discovers the breach after encryption and has no visibility into what left the network, it must assume the worst and notify affected individuals, regulators, and in some cases the media.
Federal advisories map the exfiltration-first playbook
The strongest public evidence for the exfiltration-first model comes from two primary U.S. government sources. The first is CISA advisory AA23-352A, which profiles Play ransomware. That document describes a ransomware workflow that includes exfiltration prior to encryption and details the leak threats that follow. Play is not an outlier; the advisory frames this sequence as a standard operating procedure rather than an unusual tactic.
The second source is the federal guide on ransomware response and mitigation, developed with input from the NSA, FBI, and the Multi-State Information Sharing and Analysis Center. That guide states plainly that ransomware actors may exfiltrate data and threaten to release it. The phrasing is deliberately broad because the behavior spans multiple ransomware families, not just Play. The guide also addresses response steps that go beyond restoring from backup, including containment of ongoing data loss and coordination with law enforcement through regional offices of the FBI.
Taken together, these documents show that the federal government’s own incident-response framework treats data theft as a core component of modern ransomware attacks, not an edge case. The guidance links exfiltration to downstream legal risk by emphasizing that once sensitive information leaves an organization’s control, it may trigger health, financial, or sector-specific disclosure rules. That connection reinforces the regulatory consequences that follow exfiltration, consequences that exist independently of whether encrypted files are ever recovered or whether a ransom is ultimately paid.
Gaps in public data and what organizations should watch next
The federal advisories establish that exfiltration-before-encryption is a known, documented tactic. They do not, however, publish aggregated numbers on how often it succeeds. CISA and the FBI have not released case-level statistics showing what percentage of ransomware incidents in a given year involved confirmed data theft versus encryption alone. Without that data, security teams cannot benchmark their own risk against a national baseline or determine whether their sector is more heavily targeted for theft than for pure disruption.
A second gap involves enforcement. Health and privacy rules, along with various state breach-notification statutes, create clear obligations when sensitive data is exposed. Yet publicly available records do not neatly tie specific enforcement actions or notification volumes directly to ransomware-driven exfiltration events. Many public breach notices describe “unauthorized access” or “potential compromise” without specifying whether the incident was part of a double-extortion ransomware campaign. That makes it difficult to measure the real-world regulatory cost of failing to detect data theft early, or to separate ransomware-related disclosures from other types of intrusions.
The advisories also lack direct statements from victims or ransomware operators that would quantify how often data is actually posted or sold when ransoms go unpaid. Law enforcement bulletins warn about leak sites and name-and-shame tactics, but they do not provide systematic data on what percentage of stolen information ultimately appears online, how long it remains accessible, or how often criminals follow through on threats. For defenders, that missing information complicates risk calculations about whether to treat every exfiltration claim as certain exposure or as one possibility among several bad outcomes.
These gaps do not undermine the core message from federal agencies, but they do shape how organizations should respond. In the absence of detailed statistics, security leaders must assume that any serious ransomware incident could involve covert data theft and plan accordingly. That means prioritizing controls that can detect large or unusual outbound transfers, segmenting networks so that an initial foothold does not grant easy access to sensitive repositories, and ensuring that incident-response teams know how to preserve logs and forensic artifacts that can prove whether exfiltration occurred.
Practical steps to reduce exfiltration risk
Translating the federal guidance into practice starts with visibility. Organizations should ensure they can monitor data flows from critical systems to external destinations, with alerting tuned for anomalous volumes, unusual protocols, or transfers to previously unseen IP addresses. Endpoint detection and response tools can help identify the staging of large file archives or the use of built-in utilities to compress and move data, behaviors that often precede encryption in the Play ransomware model and similar campaigns.
Access controls and least-privilege principles are equally important. If a compromised account can read entire file shares of customer or patient data, exfiltration becomes far easier. Regular reviews of group memberships, service accounts, and administrative privileges can limit the blast radius when attackers do break in. Combined with network segmentation that isolates sensitive databases and document stores, these measures make it harder for intruders to quietly collect and export large volumes of information before triggering an overt ransomware event.
Incident-response planning should explicitly account for the possibility that data theft is underway even if encryption has not yet occurred. Playbooks can include decision points around disconnecting affected systems from the network, engaging digital forensics expertise, and contacting law enforcement early through established channels. By treating potential exfiltration as a parallel crisis to encryption, rather than a secondary concern, organizations can move faster to contain the damage and gather evidence that may reduce the scope of mandatory notifications.
Finally, communication strategies need to reflect the new reality. Executives, boards, and legal teams should understand that a ransomware incident is no longer just an uptime problem. Even with reliable backups and rapid restoration, the organization may face weeks or months of regulatory follow-up, customer outreach, and reputational repair if sensitive data has been stolen. Aligning technical, legal, and communications planning around that broader impact can help organizations respond more coherently when-not if-they confront an exfiltration-first ransomware attack.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
