The ransomware landscape is evolving. While high-profile attacks involving system-wide encryption and operational disruption continue to dominate headlines, a quieter breed of threat actor is gaining traction. These groups do not encrypt files, deploy malware, or demand immediate ransom. Instead, they rely on simple intrusions, slow data exfiltration, and carefully timed leaks of stolen data to apply pressure.
These are the low-volume data leak actors. Their activity often goes unnoticed until files appear on dark web forums, Telegram channels, or “leak blogs” weeks or months after compromise. This form of cyber extortion is growing in prevalence, particularly against under-resourced UK public sector organisations, academic institutions, and small businesses.
What Defines a Low-Volume Data Leak Actor?
Unlike ransomware operators who deploy payloads to lock down systems, low-volume leak actors prioritise data theft and silence. They may exfiltrate sensitive files over several days or weeks, without leaving disruptive traces. Once the data is stolen, the group will contact the organisation discreetly or leak a sample online to pressure them into negotiation.
These actors are often opportunistic, exploiting unpatched systems, weak credentials, or exposed cloud storage. In some cases, they never make contact and leak the data without warning, either as a form of protest or to build their reputation within cybercrime circles.
Well-known examples of this type include:
- Dunghill Leak: targeting universities and local councils with administrative and operational data.
- KelvinSec: leaking municipal, telecoms, and educational data via Telegram with unclear motives.
- MalasLocker: exfiltrating data from Zimbra email servers and demanding charitable donations instead of payment.
- ProjectRelic: slowly exfiltrating research and government documents without deploying malware.
These groups operate below the radar, but the impact of their activity—especially in terms of reputational harm and data protection liabilities—can be significant.
Why Are These Actors Difficult to Detect?
There are several reasons low-volume leak actors are challenging to identify:
- They use system-native tools rather than known malware, bypassing signature-based detection.
- Their data transfers are small, often below thresholds that would trigger alerts.
- They may operate using compromised legitimate accounts, avoiding brute-force behaviour.
- They do not trigger obvious symptoms such as encrypted files, ransom notes, or system outages.
For many organisations, particularly those without dedicated threat hunting capabilities, these behaviours are easily missed or written off as normal system activity.
Detection and Response Guide: Non-Encryption-Based Extortion
This section provides a practical framework to help defenders identify and respond to low-noise data theft and extortion operations.
Key Indicators of Compromise (IOCs)
- Creation of compressed archive files (.zip, .7z, .tar.gz) in shared folders or staff directories
- Unusual outbound data volumes during non-business hours
- Repeated HTTP POST requests to cloud storage providers
- Suspicious use of tools like Rclone, WinSCP, or curl by non-technical users
- Account logins from unusual geolocations or Tor exit nodes
- Creation of new scheduled tasks or registry entries by low-privilege users
- OAuth app registrations or API token use from unknown devices
Detection Techniques
- Monitor process activity for archive creation, scripting engines, and command-line tools
- Enable DNS logging and alert on connections to known file-sharing domains
- Use anomaly detection to identify unusual data access or download patterns
- Audit privileged access to files containing personally identifiable or contractual data
- Configure data loss prevention (DLP) policies to flag bulk file transfers
- Establish baselines for data usage per user and alert on deviations
Immediate Response Actions
If signs of a potential data leak are detected:
- Isolate affected accounts or endpoints from the network
- Suspend external data sharing or cloud sync for the suspected user or device
- Investigate logs for signs of command-line activity, archive creation, and outbound data transfer
- Identify whether exfiltrated data includes protected or regulated information (e.g. personal data under GDPR)
- Notify internal legal and compliance teams to assess reporting obligations
- Monitor dark web forums, Telegram, and known leak sites for signs of public exposure
Recommendations for Prevention and Resilience
Low-volume leak actors exploit simple mistakes and misconfigurations. The following measures can reduce exposure:
- Regularly patch externally accessible services, particularly webmail and file sharing platforms
- Apply multi-factor authentication to all cloud services and admin portals
- Restrict the use of command-line archive and transfer tools to IT staff
- Limit access to sensitive folders and enforce the principle of least privilege
- Educate users on phishing, credential theft, and safe handling of sensitive files
- Maintain offsite backups and prepare a data breach communication plan
Conclusion
Non-encryption-based data extortion is a growing threat, particularly for organisations that lack the resources to defend against subtle, long-term intrusions. While these actors may not cause immediate operational disruption, the reputational and legal consequences of a data leak can be severe.
UK-based research institutions, local authorities, and mid-sized businesses should ensure they have visibility into their own data flows, strong access control, and early-warning systems for abnormal behaviour. In a threat landscape where silence is often more dangerous than noise, detection must begin with context and curiosity.
