Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate ransomware/data-extortion activity remained elevated through 2025 into early 2026, with threat actors increasingly emphasizing data theft, public pressure, and supply-chain leverage rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at 6,604 recorded ransomware attacks (up 52% YoY), with 731 attacks in December and 2,000+ claims in the last three months of 2025; the same reporting also notes supply-chain attacks nearly doubled, increasing the potential blast radius when service providers are hit.
A major example is Conduent, where the January 2025 ransomware attack is now assessed to have impacted ~25 million Americans (up from an initial 10 million), with reporting describing ~8TB of data stolen including Social Security numbers and medical data, alongside days of operational disruption. Separately, Accenture-linked research reported that the World Leaks extortion operation added a custom Rust-based tool, RustyRocket, described as a stealthy data-exfiltration and proxy capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how data leak sites (DLSs) and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Accenture reports World Leaks using custom RustyRocket malware
Accenture Cybersecurity reported that World Leaks had added a previously unseen malware tool called RustyRocket to its operations. The tool provides stealthy data exfiltration, proxying, persistence, and encrypted tunneling designed to blend malicious traffic into legitimate network activity.
Conduent says no stolen data has appeared on dark web forums
As part of its response, Conduent said it implemented data protection and dark web monitoring measures. The company reported that it had not observed the stolen data appearing on dark web forums so far.
Conduent sets aside $25 million for breach response and notifications
Conduent reserved $25 million for notification and related response activities, had already spent $9 million, and expected to complete payments by early 2026. The company also said cyber insurance could cover costs above that amount within policy limits.
Oregon says 10.5 million residents were affected by Conduent breach
Oregon's attorney reportedly stated that 10.5 million residents were affected by the Conduent breach. Combined with other state disclosures, this helped push the estimated total impact to roughly 25 million individuals.
Texas breach figures for Conduent rise from 4 million to 15.4 million
Updated Texas breach reporting increased the estimated number of affected individuals tied to the Conduent incident from 4 million to 15.4 million. This was one of the major revisions that expanded the known scale of the breach.
Ransomware groups claim over 2,000 attacks in late 2025
In the final three months of 2025, ransomware groups claimed more than 2,000 attacks, including 731 in December alone. Elevated activity continued into early 2026, underscoring sustained momentum in the threat landscape.
Qilin identified as the most active ransomware group of 2025
Cyble identified the Russia-linked Qilin group as the most active ransomware operation in 2025, claiming 1,138 successful breaches. The group remained highly active into December 2025 and January 2026.
Cyble records sharp rise in ransomware activity during 2025
Cyble's annual threat report found ransomware activity surged throughout 2025, reaching 6,604 recorded attacks for the year, a 52% increase over 2024. Monthly attack volumes rose to nearly 700, with the United States accounting for 55% of attacks.
Conduent discloses incident in SEC filing with limited-impact description
In a September 30, 2025 SEC filing, Conduent said it had detected the January ransomware incident and described the impact as limited to a subset of users. Later state-level breach figures indicated the exposure was much larger than that characterization suggested.
SafePay claims responsibility for Conduent breach
The ransomware group SafePay was identified in reporting as claiming responsibility for the Conduent attack. The breach was described as involving sensitive data including Social Security numbers and medical information.
Conduent detects ransomware incident
Conduent detected a ransomware attack on January 13, 2025. The incident caused several days of operational disruption and involved the alleged theft of about 8 TB of sensitive data.
World Leaks becomes active as a data-extortion group
World Leaks began operating in early 2025 as a ransomware/extortion group focused primarily on stealing data and threatening publication rather than relying on file encryption. The group reportedly used social engineering, stolen credentials, and exploitation of exposed infrastructure for initial access.
Data leak sites emerge to support double-extortion ransomware
Ransomware groups began using dark-web data leak sites in late 2019 to pressure victims by publishing stolen data samples, victim details, and deadlines. This marked a shift toward double extortion, combining encryption with threats to expose stolen information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Ransomware Groups Claimed 2,000 Attacks in Just Three Months
techrepublic.com
Open sourceWorld Leaks Ransomware Adds Custom Malware ‘RustyRocket' to Attacks - Infosecurity Magazine
infosecurity-magazine.com
Open sourceNaming and shaming: How ransomware groups tighten the screws on victims
welivesecurity.com
Open sourceFrom 10M to 25M: Conduent Breach Balloons Into One of 2025’s Largest
techrepublic.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
Mar 31, 2026
Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
**Data-extortion intrusions increased sharply last year**, with Intel 471 tracking roughly **6,800 extortion-driven attacks**—about **63% higher than 2024**—and attributing much of the growth to heightened activity from **Qilin**, **Sp1d3r Hunters**, and **Clop** operations. More than half of impacted organizations were in the **United States**, with frequent targeting of **consumer and industrial product vendors, consulting firms, and manufacturing**; Intel 471 also assessed that **initial access brokers** increasingly focused on **remote access portals** as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over **40% of 520** reported bugs) and forecast that **AI** will likely *accelerate* exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions. Broader threat reporting described a **fragmenting cybercrime economy** under law-enforcement pressure, with more **new ransomware variants** derived from leaked code and a more **modular “supply chain”** of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how **low-tech social engineering** remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new **“Insomnia” data-theft** brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by **repeatable access paths** (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
Mar 21, 2026
Ransomware and data-extortion incidents drive new breach disclosures across healthcare, aviation, and hospitality
Multiple organizations disclosed or were linked to **ransomware/data-extortion** activity with material operational or privacy impact. **Air Côte d’Ivoire** confirmed a cyberattack affecting parts of its information systems after **INC ransomware** claimed theft of **208 GB** and threatened to leak data, while the airline said it engaged the national CERT and external experts to contain impact and maintain flight operations. In the US healthcare sector, **University of Mississippi Medical Center (UMMC)** reported a ransomware incident that forced statewide clinic closures and disrupted access to **Epic** electronic medical records, prompting engagement with the **FBI** and **CISA** and use of downtime procedures to sustain patient care. Separately, **Conduent**’s earlier ransomware-linked breach continued to expand in scope, with breach notifications indicating at least **~25 million** people affected across multiple states and exposure of sensitive PII (including **SSNs** and health/insurance data). **Wynn Resorts** also confirmed an unauthorized party accessed and stole employee data after being listed by the **ShinyHunters** extortion group, with the company stating the actor claimed the data was deleted and that guest operations were not impacted. Other items in the set describe distinct, unrelated security events and broader threat research rather than the same incident: alleged data leaks involving **Burger King France** and **Wendy’s UK**; **Qilin** ransomware claims against a New York City transit union; Russian cyber operations against Ukraine’s power grid focused on intelligence collection; and a New Zealand healthcare application (**MediMap**) taken offline after apparent unauthorized access and **patient record tampering** (e.g., records marked deceased). Additional references cover threat research and trends (airline brand impersonation domains, edge-device exploitation telemetry, MuddyWater’s *Operation Olalampo*, Google Ads cloaking via **1Campaign**, freight/logistics phishing by “Diesel Vortex,” and various governance/AI/5G/quantum commentary), which provide context on the threat environment but do not substantively report on the same specific breach event.
Mar 21, 2026