Cherry XTRFY announced the K63W Pro Compact at Computex 2026, and the standout feature is one you don’t often see in gaming keyboards: Ultra-Wideband technology. With a true 8000 Hz polling rate, this compact keyboard is positioning itself as a serious wireless option for gamers who don’t want to compromise on performance.
What is Ultra-Wideband doing in a keyboard?
Traditional wireless keyboards operate in narrow frequency bands, which is where interference creeps in and causes problems. Ultra-Wideband takes a different approach, transmitting data in short bursts across a much wider frequency spectrum. Cherry XTRFY claims this results in more precise signal timing, reduced interference, and a more stable connection, even in environments packed with wireless signals competing for the same space.
Cherry
The K63W Pro Compact reports to your computer up to eight times every millisecond in both wired and wireless modes, matching the polling rate you would typically only find in wired keyboards. Cherry XTRFY is also equipping the keyboard with a 6,000 mAh battery, which is a generous capacity a 70% keyboard size. It will ensure that low battery warning doesn’t impact your long gaming sessions.
What else you get with the new keyboard?
Beyond the wireless specs, Cherry XTRFY also made some notable changes to the physical design. The K63W Pro Compact uses a 70% layout that retains the F-row while trimming the sides down to free up more desk space for mouse movement.
The keyboard uses CHERRY MX LOW PROFILE 2.0 switches combined with a new gasket construction, which the company says produces softer keystrokes and deeper acoustics than you would typically expect from a low-profile mechanical keyboard.
Joakim Jansson, Director of Product Management at CHERRY, described the result as “a typing feel you would never expect from a low-profile keyboard.” As for pricing, the keyboard isn’t cheap, but it’s not excessively expensive either. The K63W Pro Compact will be available in the US in August for $169.99.
Ransomware gangs are shifting from encryption to pure extortion, focusing on stolen data, reputational pressure, and stealthier attacks.
Ransomware groups are quietly changing strategy in 2026. Instead of encrypting systems and causing immediate disruption, many attackers are now focusing on pure extortion: stealing sensitive data and threatening to leak it publicly if victims refuse to pay.
This shift is happening for a simple reason. Encryption is noisy, risky, and easier for defenders to detect. Data theft is often faster, quieter, and in many cases more profitable.
Several recent reports suggest attackers are increasingly prioritizing credential theft, long-term access, and exfiltration over traditional ransomware deployment. The pressure point is changing too. Companies are no longer paying just to restore operations, they are paying to avoid reputational damage, regulatory fallout, and exposure of sensitive internal documents.
The biggest incidents of the past months show the same pattern again and again: attackers are causing enormous damage without encrypting systems at all.
The shift is now visible at scale.
According to Kaspersky’s State of Ransomware 2026, ransom payment rates have collapsed from roughly 76% in 2019 to just 28% in 2026. In practice, fewer than one in three victims now pays.
“The new model is pure data extortion: steal it, threaten to publish it, monetise either through victim payment or, increasingly, direct resale on the data leak site. In May 2026 this isn’t an exotic experiment.” reads the report published by the Ransomnews Research Team. “It’s the default playbook.” continues the report.
Attackers adapted because the old model became less effective. Better backups, stricter cyber-insurance rules, regulatory pressure, and improved incident response reduced the profitability of large-scale encryption campaigns.
Encryption also creates operational problems for attackers. It generates forensic evidence, triggers EDR alerts, and gives defenders time to react.
“The shift is rational. Encryption is operationally expensive for the attacker, it leaves loud forensic artifacts, triggers EDR alerts on file-rewrite patterns, requires per-victim key management, and exposes the operator to law-enforcement decryption assistance.” continues the report.”Extortion-only attacks are faster, quieter, and far harder for backup-and-restore strategies to neutralise. The data is already out the door before the victim notices.”
The numbers behind recent attacks explain why this model is becoming dominant.
In May 2026, ShinyHunters claimed to have stolen around 3.65 TB of data from Instructure, the company behind Canvas LMS. The leak allegedly affected roughly 275 million students, teachers, and staff across approximately 9,000 educational institutions.
In both cases, encryption was either absent or secondary. The pressure came entirely from data exposure.
That changes the defensive equation significantly.
Traditional ransomware response plans focused heavily on:
restoring systems,
recovering encrypted files,
rebuilding infrastructure,
and negotiating decryption keys.
But when attackers skip encryption entirely, those controls lose much of their value. Organizations can restore systems quickly and still suffer a catastrophic breach because the stolen data already exists outside their control.
The economics have changed too:
“When the leak site itself is the product, the victim’s negotiation position weakens dramatically.” states the report. “The most important strategic shift is the one with the least technical content. In the 2020 model, the data leak site was a coercion device: pay or we publish. In the 2026 model, the data leak site is the product. Operators have built downstream relationships with carders, identity-fraud rings, and (in some confirmed cases) sanctioned intelligence services that purchase exfiltrated datasets directly. Victim payment is no longer the only, or even the primary, revenue channel for some operators.”
Leak sites are no longer just pressure tools. They became marketplaces. Stolen datasets are increasingly monetized through resale to fraud groups, identity theft operations, and other criminal buyers even if victims refuse to pay.
Another major trend in 2026 is the widespread adoption of EDR-killer utilities.
Attackers now routinely disable endpoint detection systems before beginning reconnaissance or exfiltration. The most common method remains BYOVD (Bring Your Own Vulnerable Driver), where attackers load signed but vulnerable Windows drivers to terminate security tools at kernel level.
What used to be considered advanced tradecraft in 2024 is now becoming standard even among mid-tier ransomware affiliates.
Operational timelines are also shrinking:
Initial access to reconnaissance: often 2–7 days
Data exfiltration: sometimes completed in 1–4 days
Public leak-site listing: often within hours after exfiltration
By removing the encryption phase entirely, attackers cut several days from the attack lifecycle while also eliminating the loudest detection stage.
For defenders, this means the old ransomware playbook is no longer enough.
The priority is shifting toward:
exfiltration detection,
outbound traffic monitoring,
cloud-storage abuse detection,
off-host logging,
DLP controls,
and rapid disclosure readiness.
Backups still matter. But backups alone do not protect against a public data leak involving millions of records or years of intellectual property.
The uncomfortable reality is that ransomware did not become weaker. It became quieter, faster, and more focused on long-term data exposure instead of immediate operational disruption.
“It would be easy to read the encryption-less shift as good news. After all, encryption was the part of ransomware that did the most operational damage to victims, locked systems, broken supply chains, halted hospitals. If operators stop encrypting, isn’t that a defensive win?” concludes the report. “Not exactly. The reduction in encryption is balanced by an increase in the scope and persistence of the data exposure. A 275-million-record dataset on a public leak site is a 30-year liability for the victims of that data. A 10-million-file Foxconn dump rewrites the threat models of every downstream brand whose IP it touches. The visible operational damage is smaller. The invisible long-tail damage is much larger.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
May 23, 2026
