Exfiltration-Only Ransomware: Why Wire-Speed Traffic ML Is Now the Last Line of Defense

The shape of ransomware just changed, and most defensive stacks have not noticed yet.

Through 2024 and into 2025 the ransomware kill chain was three predictable beats: get in, move laterally, encrypt everything and demand a ransom. The encryption beat was loud — file-system telemetry lit up, backup systems alerted, users immediately knew. Detection was usually post-impact but at least there was detection.

In the trailing quarter, that has shifted. The Cyfirma weekly intel for early May 2026 and the Securelist State of Ransomware 2026 both report the same trend with different framings: a meaningful share of the high-tier ransomware affiliates are skipping encryption entirely. They get in, they enumerate quickly, they exfiltrate as much business-critical data as the network egress will carry, and they extort directly on the threat of publication. Brain Cipher is the named brand most commonly referenced; the operating model is broader than any one group.

This sounds like a tactical change. It is actually an architectural one for defenders.

What "encryption-less ransomware" means for detection

When the impact phase is encryption, you have signals everywhere: massive write rates to file shares, the SMB or NFS protocol stats spike, your EDR or your backup software trips. The attack is self-announcing. You can detect it after the fact and the question is just how badly the backups stack up against the ask.

When the impact phase is exfiltration, none of those signals exist. The attacker does not touch your files in a destructive way. They read them. Reads at scale do not trigger many of the rules that were tuned for encryption-stage activity. Your file shares, your databases, your S3-compatible internal object stores see legitimate-shaped reads. The only place the activity is unambiguously visible is the network egress — the bytes leaving your perimeter to a destination they should not be going to.

And the network egress is exactly where most defenders are weakest.

Three concrete operational gaps the new attacker pattern exploits:

• Volume-based DLP misses staged exfiltration. Modern attackers stage data inside the perimeter — usually in a host they already control — and only then move it out, often spread across hours, often to one of the cloud-storage CDN ranges your business already uses. Rule-based DLP keyed on file size, destination, or time-of-day misses it.
• TLS inspection has retreated. As public-key pinning, HSTS preload, ESNI/ECH and QUIC have expanded, mid-network TLS inspection breaks more applications than it inspects. Many enterprises have quietly disabled it for most outbound segments. The exfiltration traffic that mattered last year is encrypted now, and your SIEM does not see the payload.
• SIEM cadence is wrong. A query that runs every 15 minutes on 24-hour windows cannot catch a 90-minute exfiltration burst that finishes before the next window aligns. By the time the morning report runs, the data is gone.

Two recent KEV additions that make this worse

Two CVEs added to CISA's Known Exploited Vulnerabilities catalog in May 2026 align cleanly with this kill chain:

• CVE-2026-20182 — a critical (CVSS 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Manager, added to KEV on 14 May 2026, with FCEB remediation deadline 17 May. SD-WAN appliances sit at the egress edge of many enterprises. An attacker who owns the SD-WAN controller decides how outbound traffic is routed and inspected.
• CVE-2026-31431 — the "Copy Fail" Linux kernel local privilege escalation, added 1 May 2026. By itself this is post-compromise; chained with any of the recent web-server foothold CVEs it converts a user-context webshell into kernel-root data-mining capability.

Read together: the attacker gets a foothold, escalates to root via Copy Fail, owns the SD-WAN controller, exfiltrates over a path the defenders have lost visibility into. The encryption step is now optional — and increasingly skipped, because every extra noisy step is an extra detection chance.

What detection actually has to look like

You cannot defend exfiltration-shaped attacks by looking at endpoints. The endpoint sees legitimate reads. You have to defend at the traffic layer with detection logic that does not depend on signatures, payload inspection, or static rules. Three properties of a working stack:

• Behavioural ML on flow metadata. Even when the payload is encrypted, the flow metadata — timing, fan-in, fan-out, byte distribution, ASN destination, certificate fingerprint, JA3/JA4 hashes — carries enough signal to flag a host that has flipped from net-importer to net-exporter or that has started talking to an ASN it never talked to before. The model has to be trained on your baseline traffic, not on a vendor's average customer.
• Real-time, not batch. The detection has to land while the activity is in progress, not as the next morning's report. Wire-speed inference (deep-packet ML running on a GPU as the traffic traverses) is the only architecture that gives you a meaningful chance to interrupt exfiltration mid-stream.
• Sensor placement at every choke point. A single edge sensor misses east-west exfiltration via compromised cloud-tenancy or via partner VPN. You need sensors at perimeter, DMZ, server-to-server segments, and any OT/ICS chokepoint that touches IT.

If your current network detection stack is signature-based or batch-oriented, the exfiltration story walks through it.

How Zero Hunt's Pillar 2 addresses this scenario

The second pillar of the Zero Hunt appliance is the AI Traffic Analysis engine, and exfiltration-shaped attacks are the canonical case it was built for.

The engine is a proprietary deep-learning architecture with four parallel inference heads (suspicious traffic, malware classification, attack-type identification, application fingerprinting), trained on billions of real-world PCAP sequences and running directly on the appliance GPU at a 2.7+ Gbit/s baseline. It classifies flow metadata as the packets traverse — not in a batch job, not in the morning report. A host that flips from net-importer to net-exporter, a sustained outbound burst to a never-seen ASN, an SD-WAN tunnel that suddenly carries 10× its usual volume — all of these light up during the burst, while there is still time to cut the link.

It pairs with the offensive Pillar 1 — the 10-agent swarm validates whether the same exfiltration path is reachable from your own attack surface, before an outsider tries it — and the comparison matrix lays out the difference against signature-based NDR. The features section details the 4-head inference architecture and the 21-source threat intel feed; you can also request a demo to see the appliance run against a recorded exfiltration trace.

All of this runs on-premise on the appliance GPU. None of your network metadata leaves your perimeter to a vendor cloud — a non-trivial property in a year where the threat actors targeting your egress are also reading your security vendor's blog.

The shape of ransomware changed in Q1 2026. The shape of detection has to change with it.