Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate ransomware/data-extortion activity remained elevated through 2025 into early 2026, with threat actors increasingly emphasizing data theft, public pressure, and supply-chain leverage rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at 6,604 recorded ransomware attacks (up 52% YoY), with 731 attacks in December and 2,000+ claims in the last three months of 2025; the same reporting also notes supply-chain attacks nearly doubled, increasing the potential blast radius when service providers are hit.
A major example is Conduent, where the January 2025 ransomware attack is now assessed to have impacted ~25 million Americans (up from an initial 10 million), with reporting describing ~8TB of data stolen including Social Security numbers and medical data, alongside days of operational disruption. Separately, Accenture-linked research reported that the World Leaks extortion operation added a custom Rust-based tool, RustyRocket, described as a stealthy data-exfiltration and proxy capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how data leak sites (DLSs) and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
Related Entities
Threat Actors
Malware
Sources
Related Stories
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
1 weeks ago
Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
**Data-extortion intrusions increased sharply last year**, with Intel 471 tracking roughly **6,800 extortion-driven attacks**—about **63% higher than 2024**—and attributing much of the growth to heightened activity from **Qilin**, **Sp1d3r Hunters**, and **Clop** operations. More than half of impacted organizations were in the **United States**, with frequent targeting of **consumer and industrial product vendors, consulting firms, and manufacturing**; Intel 471 also assessed that **initial access brokers** increasingly focused on **remote access portals** as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over **40% of 520** reported bugs) and forecast that **AI** will likely *accelerate* exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions. Broader threat reporting described a **fragmenting cybercrime economy** under law-enforcement pressure, with more **new ransomware variants** derived from leaked code and a more **modular “supply chain”** of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how **low-tech social engineering** remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new **“Insomnia” data-theft** brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by **repeatable access paths** (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
1 months ago
Ransomware and Extortion Trend Reporting and Threat-Activity Roundups
Multiple sources published **trend-focused reporting** on ransomware/extortion rather than describing a single discrete incident. Analyst1’s 2025 year-in-review reports a record rise in ransomware **data leak site (DLS)** postings (7,819 claims in 2025, up ~49.7% YoY), with the **U.S.** representing roughly half of observed claims and a concentration of activity among a small set of groups (e.g., **Qilin**, **Akira**, **CLOP**, **PLAY**). Ransom-DB similarly promotes ongoing “weekly trends” and group analyses (e.g., Qilin and other crews driving high weekly volumes), reinforcing that extortion ecosystems continue to scale and diversify across geographies and sectors. Several other items in the set are **not about ransomware trend reporting** and should be treated as separate stories: Kaspersky-reported supply-chain compromise of Android tablet firmware with the **Keenadu** backdoor (persistence via Android `Zygote`), Dragos reporting continued PRC-linked **Volt Typhoon/Voltzite** activity in U.S. energy/OT environments, and a Check Point weekly bulletin summarizing multiple unrelated breaches (e.g., Odido, BridgePay, Flickr, ApolloMD) plus AI-misuse research. Additional content is either **generic thought leadership** (cybersecurity predictions; secure-by-design op-ed) or **out-of-timeframe/marketing-leaning reposting** (Arete summarizing a 2020 TrickBot healthcare alert; identity-attack discussion based on an IR report), and does not materially contribute to a single cohesive event narrative.
3 weeks ago