Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate ransomware operators are increasingly leaning on data theft and extortion as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows business email compromise (BEC) and funds transfer fraud (FTF) dominated claims volume, while ransomware represented a smaller share but featured sharply higher initial demands (average just over $1.0M, with some as high as $16M) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks.
In parallel, the broader ransomware ecosystem continues to reorganize rather than shrink despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a tactical shift among pro-Iranian/pro-Palestinian-aligned operators away from Sicarii toward BQTLock (Baqiyat 313 Locker), including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, ShinyHunters claimed a major theft from AI merchant-data platform Woflow (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the SoundCloud incident (reported exposure of data tied to ~29.8M accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Leak Bazaar advertises service to monetize ransomware-stolen data
A newly advertised dark-web service called Leak Bazaar proposed processing data stolen by ransomware gangs into structured, searchable intelligence for sale or more targeted extortion. Researchers said the model could increase pressure on victims and enable follow-on crimes, though its practicality remained unproven.
Coalition reports ransomware losses fall as data theft pressure rises
Coalition published 2025 cyber insurance claims findings showing ransomware accounted for 21% of claims, with frequency flat and average loss severity down, even as initial ransom demands rose sharply. The report said improved backup recovery was reducing impact, but dual-extortion and data theft remained prevalent, with VPNs the most frequently targeted technology in confirmed ransomware intrusions.
ShinyHunters claims breach of Woflow and sets leak deadline
ShinyHunters allegedly claimed it had compromised Woflow and stolen hundreds of millions of corporate and customer records, including internal data, PII, and transaction details. The group threatened to leak the data on March 6, while Woflow had not responded publicly and no sample was provided to verify the claim.
Sicarii affiliates are redirected to BQTlock RaaS
After Sicarii's administrator said the group could not handle a surge in affiliate requests, operators were redirected to the Baqiyat 313 Locker (BQTlock) RaaS platform. Halcyon said BQTlock was being promoted via Telegram, including free access for hacktivists targeting the 'Zionist entity.'
Pro-Iranian operators are urged to use Sicarii despite defects
In late February 2026, pro-Iranian ransomware operators were pushed to use Sicarii more broadly even though the malware reportedly had defects that made decryption impossible. This marked an attempted expansion of Sicarii before operators were later redirected elsewhere.
BQTlock begins targeting organizations in UAE, US, and Israel
Halcyon reported that the pro-Iran-aligned BQTlock ransomware operation had been targeting organizations in the UAE, the United States, and Israel since July 2025. The group was described as combining political messaging with double-extortion tactics.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
New criminal service plans to monetize data stolen by ransomware gangs | The Record from Recorded Future News
therecord.media
Open sourceBackup strategies are working, and ransomware gangs are responding with data theft - Help Net Security
helpnetsecurity.com
Open sourceShinyHunters claims massive Woflow breach | brief | SC Media
scworld.com
Open sourceAfter LockBit: The Ransomware Market Never Shrinks | by privacyinsightsolutions.com | Mar, 2026 | OSINT Team
osintteam.blog
Open sourcePro-Iranian Ransomware Operators Tactical Shift from Sicarii to BQTLock
halcyon.ai
Open sourceCyber Claims Data Shows ‘New Economics’ of Cybercrime
claimsjournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate **ransomware/data-extortion activity remained elevated through 2025 into early 2026**, with threat actors increasingly emphasizing **data theft, public pressure, and supply-chain leverage** rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at **6,604 recorded ransomware attacks** (up **52% YoY**), with **731 attacks in December** and **2,000+ claims in the last three months of 2025**; the same reporting also notes **supply-chain attacks nearly doubled**, increasing the potential blast radius when service providers are hit. A major example is *Conduent*, where the **January 2025 ransomware attack** is now assessed to have impacted **~25 million Americans** (up from an initial **10 million**), with reporting describing **~8TB of data** stolen including **Social Security numbers and medical data**, alongside days of operational disruption. Separately, Accenture-linked research reported that the **World Leaks** extortion operation added a custom Rust-based tool, **`RustyRocket`**, described as a stealthy **data-exfiltration and proxy** capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how **data leak sites (DLSs)** and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
Mar 21, 2026
Ransomware and Data-Extortion Groups Expand Pressure Tactics as Some Mass-Theft Campaigns Lose Leverage
Ransomware operations are increasingly **industrialized**, shifting from simple file encryption to multi-stage extortion that combines **encryption**, **data theft/leak threats**, **DDoS**, and in some cases direct pressure on third parties such as customers, partners, or regulators. This “quadruple extortion” model has been associated with major groups including **ALPHV/BlackCat**, **CL0P**, and **LockBit**, reflecting a broader trend toward scalable, high-tempo campaigns designed to maximize coercion and revenue. At the same time, incident-response reporting indicates some **zero-day-driven, downstream mass data-theft extortion** campaigns—popularized by **CL0P** against widely used file-transfer platforms—are becoming less effective at driving payments, as organizations better understand that paying for “data suppression” does not remove notification obligations or meaningfully reduce litigation and re-extortion risk. Separately, GuidePoint assessed with high confidence that the new “**0APT**” leak site’s claimed victim list is largely **fabricated** (or recycled from other groups) and likely intended to enable opportunistic extortion, re-extortion, or affiliate fraud; organizations named by 0APT were advised to validate impact via concrete indicators (e.g., ransom note, encryption, direct communication) before treating the posting as evidence of compromise.
Mar 21, 2026
Ransomware Activity and Related Threat Intelligence Updates
Reporting highlighted elevated ransomware activity and evolving access-broker ecosystems. BlackFog’s February ransomware roundup counted **82 publicly disclosed ransomware incidents** across **20 countries**, with the **U.S.** most affected (51 incidents) and **healthcare** the most targeted sector (31%). The report attributed publicly claimed attacks to **24 ransomware groups**, led by **Shiny Hunters** (8) and **Qilin** (6), while noting **41%** of incidents were not yet attributed; it also cited individual victim disclosures/claims involving **Nova Biomedical** (PII exposure affecting 10,764 people), **Hosokawa Micron** (files accessed; **Everest** claimed ~30GB theft), and **Iron Mountain** (Everest claim of 1.4TB theft, while Iron Mountain stated access was limited to a single marketing folder via a compromised credential). Separately, Huntress described how investigation of a “routine” **RDP brute-force** success led to discovery of credential-hunting behavior and **geo-distributed infrastructure** consistent with a **ransomware-as-a-service** ecosystem and associated initial access activity, illustrating how exposed remote access can connect to broader ransomware operations. Arctic Wolf warned of **heightened cyber risk** following the February 2026 U.S./Israel-Iran escalation (*Operation Epic Fury*), advising increased vigilance—especially for sectors historically targeted by Iranian-linked actors (e.g., energy, defense, transportation, healthcare, government)—and anticipating potential **wiper activity, DDoS, targeted intrusions, supply-chain risk**, and possible collaboration with ransomware-affiliate activity amid geopolitical retaliation dynamics.
May 12, 2026