Ransomware: Tactical Evolution Fuels Extortion Epidemic
Summary:
A new Symantec and Carbon Black whitepaper reveals that the cyber-extortion landscape reached unprecedented levels in 2025 as attackers adopted new business models and stealthy tactics. The report documents 4,737 ransomware attacks recorded in 2025, the highest total ever observed, and 6,182 extortion attacks overall when encryptionless, data-theft-only campaigns are included, representing a 23% increase year over year. While ransomware activity remained resilient despite the collapse of major operations such as LockBit and RansomHub, groups including Akira, Qilin, Safepay, and DragonForce rapidly expanded, absorbing displaced affiliates and sustaining attack volumes across industries.
The whitepaper highlights a tactical shift toward encryptionless extortion, pioneered by actors such as CL0P and ShinyHunters, who exploit zero-day vulnerabilities and software supply-chain weaknesses to steal sensitive data and extort victims without deploying ransomware. At the same time, attackers continue to rely heavily on legitimate “living-off-the-land” and dual-use software such as PowerShell, PsExec, remote access software, and data exfiltration utilities like Rclone to evade detection and blend into normal enterprise activity.
Security Officer Comments:
In 2025, the IT-ISAC observed similar ransomware activity levels, recording a total of 6,351 ransomware victim claims on data leak sites, reinforcing the broader industry trend of sustained high attack volumes. Notably, this activity reflects a continued shift in attacker behavior, with data exfiltration increasingly favored over encryption as the primary extortion mechanism. Many threat actors now focus on stealing sensitive data and leveraging the threat of public disclosure to pressure victims into paying a ransom. CL0P set the tone last year, where the group was able to exploit a zero-day vulnerability in Oracle E-Business Suite to exfiltrate data and extort more than 100 organizations around the globe. Rather than relying on file encryption, the group prioritized rapid data exfiltration, a lower‑risk approach that reduces attacker exposure and enables them to impact a larger number of victims.
Suggested Corrections:
As ransomware actors shift towards encryptionless extortion, it’s important that organizations focus on safeguarding their data. Overall, having data loss prevention controls in place can help detect and block unauthorized data transfers, while timely patching of critical systems reduces the risk of exploitation of vulnerabilities that ransomware actors often leverage for initial access.
Link(s):
https://www.security.com/threat-intelligence/ransomware-extortion-epidemic
A new Symantec and Carbon Black whitepaper reveals that the cyber-extortion landscape reached unprecedented levels in 2025 as attackers adopted new business models and stealthy tactics. The report documents 4,737 ransomware attacks recorded in 2025, the highest total ever observed, and 6,182 extortion attacks overall when encryptionless, data-theft-only campaigns are included, representing a 23% increase year over year. While ransomware activity remained resilient despite the collapse of major operations such as LockBit and RansomHub, groups including Akira, Qilin, Safepay, and DragonForce rapidly expanded, absorbing displaced affiliates and sustaining attack volumes across industries.
The whitepaper highlights a tactical shift toward encryptionless extortion, pioneered by actors such as CL0P and ShinyHunters, who exploit zero-day vulnerabilities and software supply-chain weaknesses to steal sensitive data and extort victims without deploying ransomware. At the same time, attackers continue to rely heavily on legitimate “living-off-the-land” and dual-use software such as PowerShell, PsExec, remote access software, and data exfiltration utilities like Rclone to evade detection and blend into normal enterprise activity.
Security Officer Comments:
In 2025, the IT-ISAC observed similar ransomware activity levels, recording a total of 6,351 ransomware victim claims on data leak sites, reinforcing the broader industry trend of sustained high attack volumes. Notably, this activity reflects a continued shift in attacker behavior, with data exfiltration increasingly favored over encryption as the primary extortion mechanism. Many threat actors now focus on stealing sensitive data and leveraging the threat of public disclosure to pressure victims into paying a ransom. CL0P set the tone last year, where the group was able to exploit a zero-day vulnerability in Oracle E-Business Suite to exfiltrate data and extort more than 100 organizations around the globe. Rather than relying on file encryption, the group prioritized rapid data exfiltration, a lower‑risk approach that reduces attacker exposure and enables them to impact a larger number of victims.
Suggested Corrections:
As ransomware actors shift towards encryptionless extortion, it’s important that organizations focus on safeguarding their data. Overall, having data loss prevention controls in place can help detect and block unauthorized data transfers, while timely patching of critical systems reduces the risk of exploitation of vulnerabilities that ransomware actors often leverage for initial access.
Link(s):
https://www.security.com/threat-intelligence/ransomware-extortion-epidemic