← Back to The Signal THREAT INTELLIGENCE

Cl0p doesn't encrypt anymore. It just takes.

Jun 12, 2026 · 6 min read

A university finds out it's been breached the way most victims do this season: not from an alarm, but from an email. No drives are encrypted. Nothing is locked. Nothing on the network looks broken. The only evidence that anything happened is that roughly 40 gigabytes of student records — financial aid, health files, immigration documents — are now sitting on a leak site, with a deadline attached.

There was no ransomware, in the sense everyone still pictures it. There was just theft. And it had been happening, quietly, for two weeks.

The door: one unauthenticated request

On June 10, 2026, Oracle published an emergency advisory for CVE-2026-35273, a critical (CVSS 9.8) unauthenticated remote code execution flaw in the Environment Management Hub of PeopleSoft PeopleTools 8.61 and 8.62. The vector tells the whole story: AV:N/AC:L/PR:N/UI:N — remotely over HTTP, low complexity, no privileges, no user interaction. Send the right request to the right enterprise HR system and you are running code on it.

The advisory came late. Attackers had been exploiting the bug as a zero-day since at least May 27. By the time Oracle confirmed it, Google's Threat Intelligence Group was notifying more than 100 organizations whose exposed endpoints matched the attack — and 68% of the victims were in higher education, an entire sector running the same internet-facing payroll-and-records platform.

The ransom note isn't the start of the incident. It's the receipt. By the time it arrives, the only decision left is whether to pay.

Cl0p doesn't need to encrypt you

Cl0p has run this exact play before — MOVEit, Accellion, SolarWinds. The pattern never changes: find one internet-facing enterprise application that an entire industry depends on, weaponize a zero-day before anyone's patched, exfiltrate at scale, and extort. The encryption step — the loud, theatrical, drive-locking part everyone built their defenses around — is now optional. The leverage is the data itself.

That shift quietly breaks a lot of security programs. We spent a decade learning to detect encryption: the mass file rewrites, the ransom note dropped on the desktop, the shadow copies deleted. A pure data-theft extortion produces none of that. It produces a remote-management tool that "looks like IT," a certificate that "looks routine," an account reading more records than usual, and a script touching hosts it has no business touching. Every one of those is a shrug in isolation. None of them is the thing your tooling was trained to catch.

The two weeks nobody was watching

Here is the uncomfortable part. For most of the 100-plus victims, the breach didn't hide. It was sitting in the telemetry the whole time — fourteen days of it. The MeshCentral install was logged. The new certificate was logged. The lateral movement generated events. The unusual reads against the records database were right there.

What was missing wasn't data. It was the connection between the data points — and the speed to make it before the exfiltration finished. An HR platform like PeopleSoft is exactly the kind of system that lives in the coverage gap: business-critical, internet-facing, and watched far less closely than anyone's laptops. The signals existed. The correlation didn't happen. And the attacker's clock ran for two weeks while the defender's clock never started.

Catching the chain while it's still quiet

The defense against smash-and-grab extortion is not a better ransom-note detector. It's the ability to treat a remote-management tool appearing on a records server, a freshly minted certificate, an account suddenly reading at volume, and a propagation script as one story — and to reach that verdict before the data is gone.

That's what n0limit is built to do. Every one of those signals is investigated the moment it appears — enriched, scoped, and correlated against everything else on the estate — and resolved to a verdict in under 500 microseconds, with a reasoning trail an operator can audit. A new remote tool on a PeopleSoft host doesn't land in a "review later" queue next to ten thousand other events; it's connected to the anomalous reads and the lateral movement and surfaced as a single active-exfiltration incident, while there's still time to cut the session.

When the first alert you act on is the extortion email, the campaign is already over and you lost. The entire game is the two weeks before it — and winning that requires seeing the quiet chain at machine speed, not reading the receipt at human speed.

Related from The Signal

THREAT INTELLIGENCE Weekly threat briefing: April 13–20, 2026 VISION The attacker fixed its own bug in 31 seconds. PRACTICAL DEFENSE One VM in. Every VM gone.

Catch the quiet chain before the data leaves.

See n0limit investigate and correlate every signal to a verdict in under 500 microseconds — so a smash-and-grab is an incident, not a ransom note.

Book a demo →