Ransomware Tactics Shift as Operators Drop Double Extortion in Favor of Encryption-Only Attacks
A recent study by incident response firm Coveware reveals a strategic pivot among ransomware operators, with many moving away from data exfiltration and returning to encryption-focused attacks. While established cybercriminal syndicates like Clop, LockBit 3.0, and Qilin continue to employ "double extortion" encrypting systems while also stealing and threatening to leak sensitive data smaller or less sophisticated groups are increasingly abandoning this approach.
The shift stems from the operational and financial challenges of data exfiltration. Extracting, transferring, and storing stolen data requires significant infrastructure, including dark web leak sites, and incurs costs even if victims refuse to pay. Additionally, the market value of stolen data has plummeted, with up to 78% of exfiltrated datasets deemed low-value or redundant due to oversaturation. Much of this data often outdated personally identifiable information (PII) is already available in bulk on underground marketplaces, reducing its leverage in extortion schemes.
For victims, paying a ransom does not mitigate regulatory or reputational risks. Data protection laws like GDPR mandate breach notifications regardless of ransom settlement, and attackers offer no guarantees that stolen data will be deleted or unused. This uncertainty weakens the coercive power of double extortion.
Improved cybersecurity defenses have also contributed to the decline. Organizations have bolstered resilience through zero-trust architectures, immutable backups, and enhanced awareness training, while law enforcement agencies including the FBI, CISA, and the UK’s NCSC have disrupted ransomware infrastructure and seized leak sites. These efforts increase operational risks for attackers engaging in data theft.
Despite these challenges, ransomware remains highly profitable. Coveware reports that the average ransom payment surged to $600,000 in Q4 2025, nearly doubling from $325,000 in the previous year’s Q3. While tactics evolve, the financial and operational threats posed by ransomware persist.
QILIN cybersecurity rating report: https://www.rankiteo.com/company/qilin
"id": "QIL1770796893",
"linkid": "qilin",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'data_breach': {'data_encryption': 'Primary focus of ransomware attacks',
'data_exfiltration': 'Declining due to operational challenges',
'personally_identifiable_information': 'Often outdated PII',
'sensitivity_of_data': 'Low-value or redundant data (78% of '
'exfiltrated datasets)',
'type_of_data_compromised': 'Personally identifiable '
'information (PII)'},
'description': 'A recent study by incident response firm Coveware reveals a '
'strategic pivot among ransomware operators, with many moving '
'away from data exfiltration and returning to '
'encryption-focused attacks. Smaller or less sophisticated '
'groups are abandoning double extortion due to operational and '
'financial challenges, while established syndicates like Clop, '
'LockBit 3.0, and Qilin continue to use it. The shift is '
'driven by the high costs of data exfiltration, plummeting '
'market value of stolen data, and improved cybersecurity '
'defenses.',
'impact': {'financial_loss': 'Average ransom payment surged to $600,000 in Q4 '
'2025',
'legal_liabilities': 'Regulatory risks under laws like GDPR'},
'initial_access_broker': {'data_sold_on_dark_web': 'Stolen data often sold in '
'bulk on underground '
'marketplaces'},
'lessons_learned': 'Improved cybersecurity defenses (zero-trust '
'architectures, immutable backups) and law enforcement '
'disruptions have increased operational risks for '
'attackers. Paying ransoms does not mitigate regulatory or '
'reputational risks.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Adopt zero-trust '
'architectures, immutable '
'backups, and enhanced '
'monitoring. Collaborate '
'with law enforcement to '
'disrupt ransomware '
'operations.',
'root_causes': 'High costs of data exfiltration, '
'plummeting market value of stolen '
'data, improved cybersecurity '
'defenses, and law enforcement '
'disruptions.'},
'ransomware': {'data_encryption': True,
'data_exfiltration': 'Declining among smaller groups',
'ransom_paid': 'Average payment $600,000 in Q4 2025',
'ransomware_strain': ['Clop', 'LockBit 3.0', 'Qilin']},
'recommendations': 'Enhance resilience through zero-trust architectures, '
'immutable backups, and awareness training. Report '
'incidents to law enforcement to disrupt ransomware '
'infrastructure.',
'references': [{'source': 'Coveware'}],
'regulatory_compliance': {'regulations_violated': ['GDPR'],
'regulatory_notifications': 'Mandated regardless of '
'ransom settlement'},
'threat_actor': ['Clop',
'LockBit 3.0',
'Qilin',
'Smaller or less sophisticated ransomware groups'],
'title': 'Ransomware Tactics Shift: Operators Drop Double Extortion in Favor '
'of Encryption-Only Attacks',
'type': 'Ransomware'}