Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
Data-extortion intrusions increased sharply last year, with Intel 471 tracking roughly 6,800 extortion-driven attacks—about 63% higher than 2024—and attributing much of the growth to heightened activity from Qilin, Sp1d3r Hunters, and Clop operations. More than half of impacted organizations were in the United States, with frequent targeting of consumer and industrial product vendors, consulting firms, and manufacturing; Intel 471 also assessed that initial access brokers increasingly focused on remote access portals as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over 40% of 520 reported bugs) and forecast that AI will likely accelerate exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions.
Broader threat reporting described a fragmenting cybercrime economy under law-enforcement pressure, with more new ransomware variants derived from leaked code and a more modular “supply chain” of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how low-tech social engineering remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new “Insomnia” data-theft brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by repeatable access paths (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Intel 471 reports sharp rise in 2025 data-extortion intrusions
Intel 471 reported that data-extortion attacks reached 6,800 in 2025, about 63% higher than in 2024, with activity driven in part by Qilin, Sp1d3r Hunters, and Clop. The firm also said initial access brokers mainly targeted remote access portals and that attackers abused more than 40% of 520 reported vulnerabilities.
Recorded Future reports 2025 cybercrime fragmentation after law enforcement pressure
Recorded Future said that 2025 law enforcement takedowns, arrests, and sanctions disrupted major criminal infrastructure, but the ecosystem adapted by fragmenting into smaller, decentralized operations. Its report also noted 289 new ransomware variants in 2025, a 33% increase over 2024.
Researchers assess Insomnia as a stealthy data-theft operation
Analysts from Kela and Rapid7 reported that Insomnia appears focused on credential-based access, possible authentication-bypass exploitation, and data theft and leaking rather than disruptive ransomware encryption. Sample leaked materials reportedly included patient and other sensitive health-related information.
Binary Defense publishes analysis of payroll social-engineering case
Binary Defense ARC Labs disclosed findings from its investigation into the December 2025 payroll-diversion incident, concluding the attacker exploited help-desk processes rather than a technical vulnerability. The analysis highlighted how use of internal VDI and trusted infrastructure helped the attacker evade common detections until the physician reported missing pay.
Healthcare extortion group Insomnia emerges with 18 listed victims
By February 2026, a newly observed data-theft extortion group calling itself Insomnia had appeared on dark web leak channels and listed 18 alleged victims. More than half of the victims were tied to healthcare, with most located in the United States.
Attacker diverts physician payroll at healthcare facility
In December 2025, an attacker used compromised shared-mailbox credentials and help-desk social engineering to reset a physician’s password and MFA at a healthcare organization. The intruder then accessed the organization’s VDI and Workday payroll system to change direct-deposit details to an attacker-controlled bank account.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Report: Data extortion intrusions spike | SC Media
scworld.com
Open sourceFragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026
recordedfuture.com
Open sourcePayroll pirates conned the help desk, stole employee’s pay • The Register
go.theregister.com
Open sourceA New Data Theft Gang for the Health Sector to Lose Sleep Over
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and Data-Extortion Groups Expand Pressure Tactics as Some Mass-Theft Campaigns Lose Leverage
Ransomware operations are increasingly **industrialized**, shifting from simple file encryption to multi-stage extortion that combines **encryption**, **data theft/leak threats**, **DDoS**, and in some cases direct pressure on third parties such as customers, partners, or regulators. This “quadruple extortion” model has been associated with major groups including **ALPHV/BlackCat**, **CL0P**, and **LockBit**, reflecting a broader trend toward scalable, high-tempo campaigns designed to maximize coercion and revenue. At the same time, incident-response reporting indicates some **zero-day-driven, downstream mass data-theft extortion** campaigns—popularized by **CL0P** against widely used file-transfer platforms—are becoming less effective at driving payments, as organizations better understand that paying for “data suppression” does not remove notification obligations or meaningfully reduce litigation and re-extortion risk. Separately, GuidePoint assessed with high confidence that the new “**0APT**” leak site’s claimed victim list is largely **fabricated** (or recycled from other groups) and likely intended to enable opportunistic extortion, re-extortion, or affiliate fraud; organizations named by 0APT were advised to validate impact via concrete indicators (e.g., ransom note, encryption, direct communication) before treating the posting as evidence of compromise.
Mar 21, 2026
Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate **ransomware/data-extortion activity remained elevated through 2025 into early 2026**, with threat actors increasingly emphasizing **data theft, public pressure, and supply-chain leverage** rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at **6,604 recorded ransomware attacks** (up **52% YoY**), with **731 attacks in December** and **2,000+ claims in the last three months of 2025**; the same reporting also notes **supply-chain attacks nearly doubled**, increasing the potential blast radius when service providers are hit. A major example is *Conduent*, where the **January 2025 ransomware attack** is now assessed to have impacted **~25 million Americans** (up from an initial **10 million**), with reporting describing **~8TB of data** stolen including **Social Security numbers and medical data**, alongside days of operational disruption. Separately, Accenture-linked research reported that the **World Leaks** extortion operation added a custom Rust-based tool, **`RustyRocket`**, described as a stealthy **data-exfiltration and proxy** capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how **data leak sites (DLSs)** and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
Mar 21, 2026
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
Mar 21, 2026