Threatonomics

The 65% shift that proves ransomware as we know it is dead

by Andrew Bayers, Director of Cyber Threat Intelligence
Published

Why your backup strategy isn’t enough anymore

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon.

Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% of claims in the first half of 2025 to 65% in the second half. Across the entire year, only 13% of extortion claims involved threat actors leveraging encryption without data theft, while 57.6% involved data theft without encryption, and 29.4% employed both methods.

We also observed social engineering evolve into standard attack tradecraft in 2025. “MFA fatigue” attacks—bombarding users with push notifications until they approve access—and vishing (voice phishing) are now routine techniques that effectively neutralize technical controls by targeting human psychology rather than technical vulnerabilities.

Why attackers are abandoning encryption

The traditional ransomware model required significant operational complexity. Threat actors needed to develop or acquire encryption malware, deploy it across victim networks without detection, and maintain the infrastructure to manage decryption keys. Each step introduced technical risk and increased the chance of law enforcement intervention.

Data theft extortion offers similar financial leverage with less operational overhead. Attackers exfiltrate sensitive information (patient health records, customer data, intellectual property, financial records) and threaten to release it publicly or sell it unless the ransom is paid. The leverage comes from reputational and regulatory damage rather than operational disruption.

The three distinct attack patterns we observed

Understanding the breakdown helps clarify what defenses matter for which threats.

The 13% of attacks on clients in the Resilience portfolio who used encryption without data theft represent the traditional ransomware model, betting on operational disruption as leverage. For these attacks, backup and recovery capabilities remain critical.

The 57.6% who relied purely on data theft bypassed the technical complexity of ransomware deployment entirely. They focused on exfiltration, often moving laterally through networks for weeks or months to identify the most sensitive data before extraction. For these attacks, data loss prevention, network segmentation, and data classification become the critical defenses. Patient health information exfiltrated from a healthcare provider doesn’t need to be encrypted to create massive liability under HIPAA.

The 29.4% who deployed both encryption and data theft used maximum pressure tactics, threatening both operational disruption and data exposure simultaneously. Organizations facing these attacks need comprehensive defenses addressing both operational resilience and data containment.

Credential theft as early warning

One of the most significant findings in our claims data connects to infostealers—tools like Lumma and Vidar that harvest credentials at scale by compromising individual devices and extracting passwords, session cookies, and authentication tokens.

Threat actors stole nearly two billion credentials in 2025 through these campaigns. And the majority of ransomware victims in the Resilience portfolio appeared in stealer logs before the main attack, marking credential theft as a critical early warning signal.

Attackers use infostealers as reconnaissance. They compromise credentials, evaluate which organizations have valuable access, and execute targeted extortion campaigns against the most promising targets weeks or months later. Session hijacking through stolen cookies allows attackers to bypass multi-factor authentication entirely.

The strategic shift required

The 65% prevalence of data theft events  indicates organizations need to move from recovery-focused defenses to prevention-focused defenses. This means prioritizing data loss prevention to intercept exfiltration before data leaves the environment, implementing zero trust architecture to contain the blast radius when credentials are compromised, and monitoring for organizational credentials in stealer logs as an early indicator of incoming attacks.

Backup investments still matter for attacks that use encryption. But they’re insufficient for the majority of attacks that achieve leverage through data theft alone. Organizations need to audit whether their defensive strategies align with the current threat landscape rather than the threat landscape from previous years.

About the Author
Andrew Bayers, Director of Cyber Threat Intelligence

You might also like

Why your enterprise risk framework needs threat intelligence

Here’s a question that should make any enterprise risk management (ERM) professional uncomfortable: How can you manage a risk you don’t even know exists? In my role leading threat intelligence at Resilience, I work at the intersection of cybersecurity and business risk. And I’ve noticed a persistent gap: many ERM professionals know cyber risk belongs […]

Your 90-day roadmap to sustainable vendor risk management

We’ve covered why vendor discovery matters, how to mine data streams for comprehensive vendor identification, which vendor categories are commonly overlooked, and how to implement risk-based tiering. Now comes the critical question: how do you actually implement this in your organization and make it sustainable over time? Chuck Norton from Resilience emphasizes the resource reality: […]

How our 2025 cybersecurity predictions held up

At the start of 2025, we made some bold predictions about the cyber landscape. Now, as we look back at the year that was, it’s time to see how accurate our crystal ball really was. Dr. Ann Irvine, Chief Data and Analytics Officer at Resilience, sat down with us to evaluate what happened—and what surprised […]

Cybersecurity and insurance predictions for 2026

The cyber threat landscape is evolving at breakneck speed, and the challenges organizations will face in 2026 look dramatically different from those of even a year ago. To understand what’s coming, we gathered insights from Resilience’s leading cybersecurity and cyber insurance experts: Dr. Ann Irvine, Chief Data and Analytics Officer; Chris Wheeler, CISO; David Meese, […]

Risk-based vendor tiering that actually works

Welcome back to the Resilience third-party management series. In our first three posts, we covered why third-party vendor discovery matters, how to locate vendors across your environment, and which high-risk vendor categories most organizations overlook. Now we turn to the next step: prioritizing those vendors based on actual cyber risk—not contract spend. Most vendor management […]

The vendors you’re probably missing

While the seven data streams from our previous post will capture the majority of your vendor relationships, they’re primarily designed to find digital services and traditional procurement relationships. Today, we’re exploring the vendor categories that fall through the cracks of most discovery programs, as well as why they often represent some of your highest-risk relationships. […]