Ransomware Evolution: From Encryption to Data Extortion Rackets

Post Views: 6

The Ransomware Landscape Shifts Toward Data Extortion

Ransomware attacks continue to plague organizations worldwide, but a notable trend has emerged: financially motivated attackers are increasingly focusing on data theft for extortion purposes, rather than traditional ransomware tactics that involve encrypting systems.

This shift is driven by the success of groups like Scattered Spider, ShinyHunters, and Clop, which have carried out some of the most significant and far-reaching attacks in recent years.

According to a research report by Google’s Threat Intelligence Group, 77% of ransomware intrusions in 2025 involved data theft as an additional pressure point for extortion, up from 57% in 2024.

However, it’s essential to note that data theft alone does not constitute ransomware unless encryption is involved.

Decline in Traditional Ransomware Deployment

Mandiant, a leading cybersecurity firm, has observed a decline in traditional ransomware deployment, coinciding with a rise in data-theft extortion.

Some ransomware-as-a-service programs now offer data-theft-extortion-only options, reflecting demand from their customer base.

Uptick in Data-Leak Sites

The increase in data extortion is likely driving an uptick in posts on data-leak sites, which jumped 48% to 7,784 posts in 2025.

The number of unique data-leak sites also climbed 35% to 128 sites with at least one post.

However, experts caution that data-leak sites are a poor measure of the actual volume of ransomware attacks, as they often feature non-credible claims or recycled breaches.

Google’s Report Highlights Tactics and Shifts

Google’s report highlights the tactics and shifts observed during its response to ransomware attacks in 2025.

Exploited vulnerabilities were the top initial access vector, accounting for a third of all incidents.

Attackers commonly targeted vulnerabilities in widely used virtual private networks and firewalls from Fortinet, SonicWall, Palo Alto Networks, and Citrix.

Stolen Credentials and Targeting Virtualization Infrastructure

Stolen credentials were the initial access point in 21% of ransomware intrusions, often used to authenticate to a victim’s VPN or Remote Desktop Protocol login.

Attackers are also facing challenges in deploying ransomware once they breach victim networks, with a year-over-year decline in successful ransomware deployment from 54% in 2024 to 36% in 2025.

Another notable trend is the increased targeting of virtualization infrastructure, such as VMware ESXi hypervisors.

Attackers targeted these environments in 43% of ransomware intrusions in 2025, up from 29% in 2024.

Prominent Ransomware Families and Brands

The most prominent ransomware families in 2025 included Agenda, Redbike, Clop, Playcrypt, Safepay, Inc, RansomHub, and Fireflame.

The most active ransomware brands included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce, and Sinobi.

Conclusion

As the ransomware landscape continues to evolve, organizations must remain vigilant and adapt their defenses to mitigate the growing threat of data extortion.