Decrease in data encryption through ransomware incidents, according to a recent study
Shifting Trends in Ransomware Attacks
A new report from cybersecurity firm Sophos has shed light on the evolving tactics of ransomware operators, revealing a significant shift away from data encryption and towards extortion-only attacks that rely on data exfiltration. This trend, confirmed by threat intelligence analyst Allan Liska at Recorded Future, is causing concern among security experts.
According to the report, data exfiltration was involved in 74% of ransomware cases in Q2 2025, often occurring without any encryption. This represents a decline in the use of data encryption, which dropped from 76% in 2023 to 70% in 2024. Leading ransomware actors like Hunters International have abandoned file encryption to conduct stealthier, data-only extortion attacks. Emerging groups such as Dire Wolf focus exclusively on data theft and extortion without deploying traditional encryption.
The average ransom demand in ransomware attacks has dropped by 34% over the past year, but the success rate of these attacks remains high. 53% of victims paid less than the initial ransom demand, while 18% paid more. Interestingly, less than a third of respondents who paid a ransom said the amount matched the attackers' initial demand.
The report also highlights the human consequences of ransomware attacks. 41% of IT and cybersecurity workers experienced more stress or anxiety about future attacks after responding to one. Smaller organizations (100-250 employees) are more likely to face extortion-only attacks, with 13% reporting such incidents, compared to 3% of larger organizations (3,001-5,000 employees).
However, the report from Sophos does not provide data on the percentage of extortion-only attacks in organizations with more than 5,000 employees or in smaller organizations with fewer than 100 employees. It also does not specify the initial attack vector for the majority of ransomware attacks or for extortion-only attacks.
In contrast, Recorded Future's research suggests that most ransomware attacks begin with leaked or stolen credentials, contrary to Sophos' findings that software vulnerabilities are the most common initial attack vector. The number of extortion-only cyberattacks has doubled this year, accounting for 6% of all ransomware attacks.
In response to these trends, Allan Liska suggests that organizations should consider addressing the stress and anxiety of incident responders in their incident response plans. As ransomware operators continue to evolve their tactics, it is crucial for organizations to stay vigilant and adapt their defences accordingly.
Read also:
- Industrial robots in China are being installed at a faster rate than in both the United States and the European Union, as the global market for these robots faces a downturn.
- Stock markets in India anticipated a moderate opening, influenced by mixed signals from global markets.
- Tesla's Model Y ride-sharing service halts operations in New York City
- Experienced a 4,000-mile journey in my 2025 Lexus GX 550 on Trail, found the vehicle packed with power, yet the infotainment system exhibited a disconcerting habit of resetting my personal settings arbitrarily.
