The ransomware playbook everyone prepared for goes like this: attacker gets in, deploys encryption malware, your files become unreadable, a ransom note appears demanding cryptocurrency. You either pay or you restore from backup. Either way, the incident is visible and immediate.
That playbook is increasingly obsolete. Not because ransomware is gone — it isn't — but because sophisticated threat actors have found a more profitable approach with lower operational risk. They don't encrypt anymore. They steal quietly, disappear, and monetize the data in ways that are harder to detect, harder to contain, and in many ways harder to recover from.
How the new model works
The modern exfiltration attack unfolds over weeks, not hours. An attacker gains initial access — through a phishing email, a compromised credential purchased on the dark web, or an unpatched internet-facing system. Rather than deploying ransomware immediately, they move laterally through the network, quietly, learning the environment. They identify what's valuable: client lists, financial data, health records, privileged communications, merger documents.
Then they take it. Slowly. In small chunks that don't trigger volume-based data loss alerts. An archive of client records here. A mailbox export there. Over days or weeks, everything of value leaves the environment through channels that look like normal traffic. By the time anyone notices, the data has been gone for a month.
What happens next is worse than ransomware
With ransomware, the extortion is straightforward: pay to decrypt. With exfiltration, the leverage is different and lasts longer. The attacker now holds a copy of your data permanently. Even if you rebuild your environment completely, they still have it.
The extortion plays vary. Some attackers sell the data immediately on dark web marketplaces — credential bundles, client PII, financial records — where other criminals buy them for targeted fraud. Some contact the organization directly: "pay us or we publish your client list." Some do both. And some skip the organization entirely and go straight to the clients: a firm's customers receive calls from people claiming to be "security researchers" who "discovered a breach" — using the stolen data to make the call credible.
For a financial advisory firm or law firm, that last scenario is existential. The client relationship is built entirely on trust. A call from someone who already knows the client's account details, their portfolio, their legal matter — that call, whether or not it results in fraud, destroys the relationship.
The dark web dimension most firms haven't considered
Dark web monitoring is one of the most underutilized controls in professional services. Credential marketplaces operate continuously, selling username/password combinations harvested from data breaches. Your employees reuse passwords. One of those passwords, from a breach at some other service five years ago, may already be for sale alongside an email address that matches your domain.
Dark web monitoring detects these exposures in near-real-time. When a credential matching your domain appears on a marketplace, you get an alert, you rotate the credential, and the attacker who purchased it finds it invalid. The attack that would have started with that credential doesn't happen. This is prevention that doesn't require anyone to do anything wrong inside your organization — it catches exposures that originated elsewhere and migrated to your environment.
The regulatory dimension you can't ignore
Unlike ransomware — where the data may never actually leave your environment — exfiltration almost certainly triggers notification obligations. Under Reg S-P's amended breach notification requirements, firms have 30 days to notify affected customers of a breach involving their information. Under HIPAA, 60 days to notify affected individuals, HHS, and in some cases the media. Under state breach notification laws, timelines as short as 30 days from discovery.
"From discovery" is the key phrase. If the attacker was in your environment for six weeks before you detected the intrusion, the notification clock starts from when you found out — but your regulators will want to understand why detection took six weeks, and what controls should have caught it sooner.
Dark web monitoring — continuous scanning of credential marketplaces for your domain and known accounts.
User and entity behavior analytics — detecting lateral movement and unusual data access patterns that don't trigger volume alerts.
Data Loss Prevention — egress controls that flag bulk data movement, even at low velocity over extended periods.
Network segmentation — limiting an attacker's ability to move laterally even after initial access.
Privileged access management — ensuring that the accounts with access to the most sensitive data require the most friction to use.
An incident response plan that includes a notification workflow — tested before you need it.
The firms that get through these incidents with their client relationships intact are the ones who detected the intrusion quickly, contained it, notified their clients before the attackers did, and could demonstrate they had controls in place. The story you want to tell your clients is: "we caught this, we contained it, here's what happened, here's what we did, here's what we've added." That story requires detection capability. Without it, the first notification your clients receive comes from the attacker.