Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate ransomware operators are increasingly leaning on data theft and extortion as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows business email compromise (BEC) and funds transfer fraud (FTF) dominated claims volume, while ransomware represented a smaller share but featured sharply higher initial demands (average just over $1.0M, with some as high as $16M) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks.
In parallel, the broader ransomware ecosystem continues to reorganize rather than shrink despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a tactical shift among pro-Iranian/pro-Palestinian-aligned operators away from Sicarii toward BQTLock (Baqiyat 313 Locker), including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, ShinyHunters claimed a major theft from AI merchant-data platform Woflow (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the SoundCloud incident (reported exposure of data tied to ~29.8M accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
Related Entities
Sources
Related Stories
Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate **ransomware/data-extortion activity remained elevated through 2025 into early 2026**, with threat actors increasingly emphasizing **data theft, public pressure, and supply-chain leverage** rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at **6,604 recorded ransomware attacks** (up **52% YoY**), with **731 attacks in December** and **2,000+ claims in the last three months of 2025**; the same reporting also notes **supply-chain attacks nearly doubled**, increasing the potential blast radius when service providers are hit. A major example is *Conduent*, where the **January 2025 ransomware attack** is now assessed to have impacted **~25 million Americans** (up from an initial **10 million**), with reporting describing **~8TB of data** stolen including **Social Security numbers and medical data**, alongside days of operational disruption. Separately, Accenture-linked research reported that the **World Leaks** extortion operation added a custom Rust-based tool, **`RustyRocket`**, described as a stealthy **data-exfiltration and proxy** capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how **data leak sites (DLSs)** and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
1 months ago
Ransomware and Data-Extortion Groups Expand Pressure Tactics as Some Mass-Theft Campaigns Lose Leverage
Ransomware operations are increasingly **industrialized**, shifting from simple file encryption to multi-stage extortion that combines **encryption**, **data theft/leak threats**, **DDoS**, and in some cases direct pressure on third parties such as customers, partners, or regulators. This “quadruple extortion” model has been associated with major groups including **ALPHV/BlackCat**, **CL0P**, and **LockBit**, reflecting a broader trend toward scalable, high-tempo campaigns designed to maximize coercion and revenue. At the same time, incident-response reporting indicates some **zero-day-driven, downstream mass data-theft extortion** campaigns—popularized by **CL0P** against widely used file-transfer platforms—are becoming less effective at driving payments, as organizations better understand that paying for “data suppression” does not remove notification obligations or meaningfully reduce litigation and re-extortion risk. Separately, GuidePoint assessed with high confidence that the new “**0APT**” leak site’s claimed victim list is largely **fabricated** (or recycled from other groups) and likely intended to enable opportunistic extortion, re-extortion, or affiliate fraud; organizations named by 0APT were advised to validate impact via concrete indicators (e.g., ransom note, encryption, direct communication) before treating the posting as evidence of compromise.
1 months ago
Ransomware Activity and Related Threat Intelligence Updates
Reporting highlighted elevated ransomware activity and evolving access-broker ecosystems. BlackFog’s February ransomware roundup counted **82 publicly disclosed ransomware incidents** across **20 countries**, with the **U.S.** most affected (51 incidents) and **healthcare** the most targeted sector (31%). The report attributed publicly claimed attacks to **24 ransomware groups**, led by **Shiny Hunters** (8) and **Qilin** (6), while noting **41%** of incidents were not yet attributed; it also cited individual victim disclosures/claims involving **Nova Biomedical** (PII exposure affecting 10,764 people), **Hosokawa Micron** (files accessed; **Everest** claimed ~30GB theft), and **Iron Mountain** (Everest claim of 1.4TB theft, while Iron Mountain stated access was limited to a single marketing folder via a compromised credential). Separately, Huntress described how investigation of a “routine” **RDP brute-force** success led to discovery of credential-hunting behavior and **geo-distributed infrastructure** consistent with a **ransomware-as-a-service** ecosystem and associated initial access activity, illustrating how exposed remote access can connect to broader ransomware operations. Arctic Wolf warned of **heightened cyber risk** following the February 2026 U.S./Israel-Iran escalation (*Operation Epic Fury*), advising increased vigilance—especially for sectors historically targeted by Iranian-linked actors (e.g., energy, defense, transportation, healthcare, government)—and anticipating potential **wiper activity, DDoS, targeted intrusions, supply-chain risk**, and possible collaboration with ransomware-affiliate activity amid geopolitical retaliation dynamics.
1 weeks ago