Ransomware is changing: from encryption to data Theft

Ransomware has fundamentally changed. What used to be about encrypting systems and demanding payment is now increasingly about data.

Recent reports show that the willingness to pay has dropped significantly. At the same time, authorities such as ENISA and the German BSI confirm that ransomware remains one of the most serious cyber threats, with attack activity still high.

Attackers have changed their strategy — and defenders need to adapt.

Why traditional ransomware strategies are losing effectiveness

The declining willingness to pay reflects, in part, improved technical resilience. Modern backup strategies — especially those following the 3-2-1-1-0 principle — enable reliable recovery. This concept means that there are at least three copies of the data, stored across two different types of media. One copy is kept offsite, and at least one is stored in a way that prevents it from being altered or deleted (e.g. offline or immutable). The “0” refers to the requirement that backups must be regularly tested and reliably restorable.

When recovery time (RTO) and data loss (RPO) are predictable and acceptable, the economic incentive to pay a ransom disappears.

At the same time, trust in attackers has eroded. In many cases, data is still leaked even after payment, or decryption tools fail. Stricter requirements from cyber insurance providers, as well as sanctions against certain threat groups, further complicate ransom payments.

As a result, the traditional model no longer works reliably for attackers.

From encryption to data theft: the new attacker strategy

Instead of focusing primarily on encrypting systems, attackers are now increasingly focused on stealing data — and using it for extortion. ENISA highlights this trend clearly: data exfiltration and the threat of public disclosure are now core elements of many ransomware attacks.

This shift has led to the rise of “double” and “triple extortion” models. It’s no longer just about disrupting operations. Attackers extract sensitive data and use it as leverage. In some cases, they escalate further by directly contacting customers, partners, or the media, or by publishing stolen data.

The message has changed. It’s no longer: “You can’t operate your systems.” It’s: “We have your data — and we will publish it.”

This approach offers several advantages for attackers. The technical effort can be lower, especially in so-called “pure data theft” scenarios where encryption is skipped entirely. Attackers also spend less time inside the network, reducing the risk of detection.

Most importantly, the pressure on the victim is significantly higher — not just operationally, but also legally and reputationally.

How modern ransomware attacks actually work

Modern attacks are rarely quick or chaotic. Instead, they are structured and often remain undetected for days or even weeks.

Initial access typically comes through relatively simple methods: phishing emails, weak or reused passwords, or exposed services such as VPN or RDP. Once inside the network, attackers initially operate quietly, mapping the environment, collecting credentials, and gradually moving toward sensitive systems.

The critical phase is the data exfiltration. This often happens over legitimate channels such as HTTPS or via trusted cloud services, which makes it difficult to detect in day-to-day operations.

By the time the extortion begins, the data has often already left the organization.

What This Means for Your Security Strategy

In practice, this means that having reliable backups is important but no longer sufficient. The focus is shifting away from a “recovery-first” approach to a data-centric security model.

The key question is whether you can detect when data is leaving your network — and ideally stop it. This is where many environments still have gaps.

A common issue is a lack of visibility. Without proper logging and analysis of network and system activity, suspicious behavior often goes unnoticed. This includes unusual authentication patterns, sudden privilege escalations, or unexpected data transfers.

In many environments, outbound traffic is still far less strictly controlled than inbound traffic. Attackers take advantage of this deliberately. This becomes particularly critical in combination with cloud and SaaS services, which are widely used in day-to-day operations and therefore rarely questioned. They provide an ideal channel for quietly exfiltrating data from the network.

Practical Measures to Reduce Data Exfiltration Risk

• Tight control of outbound traffic: Monitor and restrict outbound data flows. Watch for unusually large data transfers, connections to unknown services, and activity outside normal business hours.
• Identity protection and segmentation: Since exfiltration often relies on compromised privileged accounts, securing identity systems is critical. Strengthen Active Directory (or equivalent IAM systems), enforce multi-factor authentication, apply least privilege principles, and separate administrative and user accounts. Once attackers gain privileged access, the technical barrier is often already gone.
• Preparation for data breach scenarios: Develop an incident response plan that covers not just system outages but also data loss. This should include legal obligations (e.g., GDPR/NIS2), coordination with authorities, and communication with customers and partners.

Conclusion: Why Data Is the Real Target Today

Ransomware has not become less dangerous, it has evolved. The decline in ransom payments is a positive development, but it should not be mistaken for victory. Attackers have adapted, shifting their focus from systems to data.

The most effective defense against modern extortion attacks is not the ability to negotiate payments, but the ability to detect and stop attacks early — or at least make data exfiltration as difficult as possible.

Ultimately, the goal is to raise the cost of an attack to the point where it is no longer economically viable.

Sources:

BSI: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2025_Achtseiter.pdf?__blob=publicationFile&v=7