Ransomware Gangs Shift from Encryption to Data Theft as Backup Strategies Improve

Post Views: 25

Ransomware Gangs Shift Tactics as Backup Strategies Prove Effective

Businesses have seen a significant decrease in the severity of ransomware attacks, thanks in part to the growing success of backup-based recovery strategies. However, this shift has prompted ransomware gangs to adapt their tactics, with a notable increase in data theft.

Data from Coalition

According to data from Coalition, which analyzed claims from over 100,000 policyholders across the United States, Canada, the United Kingdom, Australia, and Germany, business compromise (BEC) and funds transfer fraud (FTF) combined to account for 58% of all cyber insurance claims filed in 2025. BEC was the most common claim type, making up 31% of claims, with frequency rising 15% year over year.

Ransomware, however, accounted for 21% of claims, with frequency remaining flat year over year. Despite this, the average initial ransom demand rose 47% to over $1 million, with some demands reaching as high as $16 million. The average loss per ransomware incident dropped 19% to $262,000, largely due to the increased effectiveness of backup strategies.

Ransomware Variants and Tactics

The most frequently identified ransomware variants were Akira, Qilin, and RansomHub, with average demands ranging from $926,000 to $2.3 million. Notably, 86% of ransomware victims declined to pay, while professional negotiators were able to reduce initial demands by an average of 65% for those who did pay.

Dual extortion, where attackers encrypt systems and exfiltrate data simultaneously, accounted for 70% of ransomware claims, carrying an average loss of $299,000. Encryption-only attacks and exfiltration-only attacks each accounted for 15% of ransomware claims, with average losses of $138,000 and $205,000, respectively.

Combating the Evolving Threat Landscape

To combat this evolving threat landscape, organizations must prioritize robust backup strategies. This includes hardening backups, making them immutable and logically or physically isolated from production networks, and protecting them with separate credentials, multi-factor authentication, and tight access controls. Regular testing through full restore exercises is also crucial to ensure that backups can be used to rebuild critical systems and infrastructure.

Beyond technical requirements, organizations must maintain recovery runbooks that sequence systems by business priority, bringing revenue-critical and safety-critical infrastructure back online first. Data governance is also essential, with a focus on reducing sensitive data retained, segmenting high-value data stores, and encrypting data at rest.

Attack Vectors and Entry Points

VPNs remain a primary entry point for ransomware attacks, with 59% of incidents involving compromised VPN technology. Remote desktop applications were also frequently targeted, with SonicWall, Fortinet, Cisco, Citrix, and Palo Alto Networks being the most commonly affected vendors.

Software exploits were the leading attack vector in ransomware incidents, accounting for 38% of cases. Compromised credentials followed at 27%. Overall, the frequency and severity trends suggest that organizations must remain vigilant and proactive in their cybersecurity efforts to stay ahead of evolving threats.

According to data from Coalition