Ransomware and Data-Extortion Groups Expand Pressure Tactics as Some Mass-Theft Campaigns Lose Leverage
Ransomware operations are increasingly industrialized, shifting from simple file encryption to multi-stage extortion that combines encryption, data theft/leak threats, DDoS, and in some cases direct pressure on third parties such as customers, partners, or regulators. This “quadruple extortion” model has been associated with major groups including ALPHV/BlackCat, CL0P, and LockBit, reflecting a broader trend toward scalable, high-tempo campaigns designed to maximize coercion and revenue.
At the same time, incident-response reporting indicates some zero-day-driven, downstream mass data-theft extortion campaigns—popularized by CL0P against widely used file-transfer platforms—are becoming less effective at driving payments, as organizations better understand that paying for “data suppression” does not remove notification obligations or meaningfully reduce litigation and re-extortion risk. Separately, GuidePoint assessed with high confidence that the new “0APT” leak site’s claimed victim list is largely fabricated (or recycled from other groups) and likely intended to enable opportunistic extortion, re-extortion, or affiliate fraud; organizations named by 0APT were advised to validate impact via concrete indicators (e.g., ransom note, encryption, direct communication) before treating the posting as evidence of compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
0APT site returns with a shorter victim list
On February 9, 2026, 0APT's site reappeared with a reduced list of more than 15 large multinational companies. The change appeared aimed at making the operation look more credible after earlier allegations of fabrication.
0APT site goes offline after public scrutiny
After researchers publicly questioned its claims, 0APT's leak site went offline on February 8, 2026. The outage followed growing scrutiny over whether the group had actually breached the organizations it named.
Researchers find signs 0APT is fabricating victim evidence
By early February 2026, researchers and incident responders concluded that 0APT was likely faking many victim claims, including by presenting meaningless streamed data as supposed evidence files. At least two named organizations investigated and found no intrusion, ransom note, or direct contact attributable to the group.
0APT leak site appears and rapidly posts 200+ claimed victims
In late January 2026, the data-extortion group 0APT emerged with a leak site and listed more than 200 alleged victims in about a week. Its rapid growth initially resembled a rebrand or splinter operation before researchers identified anomalies.
CL0P claims 385 attacks within weeks in February 2025
In February 2025, CL0P reportedly took responsibility for 385 attacks within a few weeks, a volume described by TechRadar as a record for a single group in one month. The claim illustrated the industrial scale of modern extortion operations.
CRM-focused extortion attacks in 2025 are mainly attributed to ShinyHunters
During 2025, another broad extortion campaign targeting CRM-related data was attributed primarily to ShinyHunters. As with earlier mass-theft events, payments by affected downstream victims were reported to remain uncommon.
Snowflake-related mass data theft campaign hits multiple victims
In 2024, a large-scale extortion wave tied to Snowflake-related breaches affected numerous organizations, but incident responders reported that downstream victims were generally unlikely to pay. The campaign was cited as evidence that mass data-theft extortion was becoming less effective.
CL0P popularizes zero-day downstream mass data extortion
CL0P established a large-scale extortion model in which zero-day vulnerabilities, often in file transfer software, were exploited to steal data from many downstream victims and pressure them to pay for supposed deletion. This marked a shift from traditional ransomware toward mass data-theft-driven extortion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Industrialized Ransomware: Confronting the New Reality
akamai.com
Open sourceGRITREP: 0APT and the Victims Who Weren’t
guidepointsecurity.com
Open sourceSome good news: downstream victims of mass data theft campaigns are less likely to pay - incident responders - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
**Data-extortion intrusions increased sharply last year**, with Intel 471 tracking roughly **6,800 extortion-driven attacks**—about **63% higher than 2024**—and attributing much of the growth to heightened activity from **Qilin**, **Sp1d3r Hunters**, and **Clop** operations. More than half of impacted organizations were in the **United States**, with frequent targeting of **consumer and industrial product vendors, consulting firms, and manufacturing**; Intel 471 also assessed that **initial access brokers** increasingly focused on **remote access portals** as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over **40% of 520** reported bugs) and forecast that **AI** will likely *accelerate* exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions. Broader threat reporting described a **fragmenting cybercrime economy** under law-enforcement pressure, with more **new ransomware variants** derived from leaked code and a more **modular “supply chain”** of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how **low-tech social engineering** remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new **“Insomnia” data-theft** brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by **repeatable access paths** (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
Mar 21, 2026
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
Mar 31, 2026
Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate **ransomware/data-extortion activity remained elevated through 2025 into early 2026**, with threat actors increasingly emphasizing **data theft, public pressure, and supply-chain leverage** rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at **6,604 recorded ransomware attacks** (up **52% YoY**), with **731 attacks in December** and **2,000+ claims in the last three months of 2025**; the same reporting also notes **supply-chain attacks nearly doubled**, increasing the potential blast radius when service providers are hit. A major example is *Conduent*, where the **January 2025 ransomware attack** is now assessed to have impacted **~25 million Americans** (up from an initial **10 million**), with reporting describing **~8TB of data** stolen including **Social Security numbers and medical data**, alongside days of operational disruption. Separately, Accenture-linked research reported that the **World Leaks** extortion operation added a custom Rust-based tool, **`RustyRocket`**, described as a stealthy **data-exfiltration and proxy** capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how **data leak sites (DLSs)** and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
Mar 21, 2026