Ransomware and Data-Extortion Groups Expand Pressure Tactics as Some Mass-Theft Campaigns Lose Leverage
Ransomware operations are increasingly industrialized, shifting from simple file encryption to multi-stage extortion that combines encryption, data theft/leak threats, DDoS, and in some cases direct pressure on third parties such as customers, partners, or regulators. This “quadruple extortion” model has been associated with major groups including ALPHV/BlackCat, CL0P, and LockBit, reflecting a broader trend toward scalable, high-tempo campaigns designed to maximize coercion and revenue.
At the same time, incident-response reporting indicates some zero-day-driven, downstream mass data-theft extortion campaigns—popularized by CL0P against widely used file-transfer platforms—are becoming less effective at driving payments, as organizations better understand that paying for “data suppression” does not remove notification obligations or meaningfully reduce litigation and re-extortion risk. Separately, GuidePoint assessed with high confidence that the new “0APT” leak site’s claimed victim list is largely fabricated (or recycled from other groups) and likely intended to enable opportunistic extortion, re-extortion, or affiliate fraud; organizations named by 0APT were advised to validate impact via concrete indicators (e.g., ransom note, encryption, direct communication) before treating the posting as evidence of compromise.
Related Entities
Threat Actors
Affected Products
Sources
Related Stories
Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
**Data-extortion intrusions increased sharply last year**, with Intel 471 tracking roughly **6,800 extortion-driven attacks**—about **63% higher than 2024**—and attributing much of the growth to heightened activity from **Qilin**, **Sp1d3r Hunters**, and **Clop** operations. More than half of impacted organizations were in the **United States**, with frequent targeting of **consumer and industrial product vendors, consulting firms, and manufacturing**; Intel 471 also assessed that **initial access brokers** increasingly focused on **remote access portals** as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over **40% of 520** reported bugs) and forecast that **AI** will likely *accelerate* exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions. Broader threat reporting described a **fragmenting cybercrime economy** under law-enforcement pressure, with more **new ransomware variants** derived from leaked code and a more **modular “supply chain”** of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how **low-tech social engineering** remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new **“Insomnia” data-theft** brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by **repeatable access paths** (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
1 months ago
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
1 weeks ago
Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate **ransomware/data-extortion activity remained elevated through 2025 into early 2026**, with threat actors increasingly emphasizing **data theft, public pressure, and supply-chain leverage** rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at **6,604 recorded ransomware attacks** (up **52% YoY**), with **731 attacks in December** and **2,000+ claims in the last three months of 2025**; the same reporting also notes **supply-chain attacks nearly doubled**, increasing the potential blast radius when service providers are hit. A major example is *Conduent*, where the **January 2025 ransomware attack** is now assessed to have impacted **~25 million Americans** (up from an initial **10 million**), with reporting describing **~8TB of data** stolen including **Social Security numbers and medical data**, alongside days of operational disruption. Separately, Accenture-linked research reported that the **World Leaks** extortion operation added a custom Rust-based tool, **`RustyRocket`**, described as a stealthy **data-exfiltration and proxy** capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how **data leak sites (DLSs)** and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
1 months ago