Cybercriminals Pivot from Ransomware to Cloud Extortion as Supply Chain Attacks Surge

Financially motivated threat groups are abandoning traditional ransomware encryption in favor of data-theft extortion through cloud service compromises, marking a significant shift in cybercrime tactics. Groups including TeamPCP, ShinyHunters, and LAPSUS$ are now prioritizing cloud-focused extortion schemes that exploit non-human identities (NHIs) such as GitHub tokens, along with open-source supply chain vulnerabilities. This evolution reflects a calculated move toward quieter, more leverageable attack vectors that bypass the noisy encryption workflows of legacy ransomware operations.

The technical execution reveals sophisticated methods. TeamPCP has compromised open-source packages including PyTorch Lightning and Xinference by embedding credential-stealing malware that propagates through GitHub tokens. Once validated via GitHub API, these tokens enable infection of writable repositories, creating a self-perpetuating supply chain compromise. ShinyHunters has targeted enterprise cloud platforms such as Salesforce and Snowflake, extracting sensitive data for extortion rather than deploying encryption payloads. The attack surface has expanded significantly as organizations increasingly rely on cloud infrastructure and third-party code dependencies.

The darknet forum ecosystem is simultaneously fracturing, with platforms like BreachForums migrating or splintering into alternatives such as PwnForums. Telegram has emerged as the preferred communication channel for threat actors, offering both reach and operational flexibility. For security teams, these converging trends signal heightened exposure across software supply chains, cloud identity management, and data protection controls. Organizations maintaining GitHub repositories, cloud storage, or enterprise SaaS integrations face elevated risk from credential harvesting and data-theft extortion campaigns.