Ransomware Evolves: Data Theft and Extortion Take Center Stage in 2025 Cyberattacks
Cybercriminals are shifting tactics, moving away from traditional ransomware encryption toward data theft and extortion schemes that leverage the threat of public exposure. According to Palo Alto Networks’ 2026 Global Incident Response Report by Unit 42, incidents involving encryption dropped to 78% in 2025 a significant decline from over 90% in prior years. Attackers now prioritize stealing sensitive data customer records, financial details, intellectual property, and internal documents to pressure victims into paying ransoms, knowing that leaks can trigger severe financial, legal, and reputational damage.
Several criminal groups have specialized in this approach. Bling Libra (ShinyHunters), known for compromising SaaS applications, and Hazy Scorpius (CLOP), which exploits vulnerabilities in enterprise platforms like Oracle EBS, exemplify this trend. These actors bypass encryption entirely, focusing on rapid data exfiltration as a more efficient extortion tool.
Artificial intelligence is accelerating these attacks. Cybercriminals now automate reconnaissance, vulnerability scanning, and intrusion campaigns, reducing the time from initial access to data theft to as little as 72 minutes. This speed outpaces traditional defense mechanisms, forcing organizations to bolster early detection capabilities.
Four key factors drive this shift:
- Improved backups and recovery systems have diminished the impact of encryption-based ransomware.
- Enhanced endpoint protection and automated threat disruption tools have made file hijacking less effective.
- Regulatory pressures including fines, lawsuits, and reputational harm make data leaks a more potent threat.
- Rapid data exfiltration allows attackers to bypass encryption while still inflicting maximum damage.
The trend disproportionately affects professional services, healthcare, and consumer-facing businesses, with medium-sized companies accounting for 64% of incidents. While manufacturing remains a top target, the construction sector saw a 44% year-over-year increase in attacks, driven by the value of bid documents, contracts, and financial forecasts.
The financial toll is steep: the average cost of data extortion incidents reached $5.08 million in 2025, with large-scale breaches exceeding $10 million. As a result, organizations are expanding security strategies beyond ransomware defenses, prioritizing SaaS access controls, phishing-resistant authentication, continuous leak monitoring, and faster incident response.
Palo Alto Networks Unit 42 cybersecurity rating report: https://www.rankiteo.com/company/unit42
Oracle cybersecurity rating report: https://www.rankiteo.com/company/oracle
"id": "UNIORA1782109726",
"linkid": "unit42, oracle",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Professional services',
'Healthcare',
'Consumer-facing businesses',
'Construction'],
'size': 'Medium-sized (64% of incidents)',
'type': 'Medium-sized companies'}],
'attack_vector': ['SaaS applications compromise',
'Exploitation of vulnerabilities in enterprise platforms '
'(e.g., Oracle EBS)',
'Automated reconnaissance and intrusion campaigns'],
'data_breach': {'data_encryption': 'Bypassed in favor of data theft',
'data_exfiltration': 'Rapid data exfiltration (as little as '
'72 minutes)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information, financial data, '
'intellectual property)',
'type_of_data_compromised': ['Customer records',
'Financial details',
'Intellectual property',
'Internal documents',
'Bid documents',
'Contracts',
'Financial forecasts']},
'date_publicly_disclosed': '2026',
'description': 'Cybercriminals are shifting tactics, moving away from '
'traditional ransomware encryption toward data theft and '
'extortion schemes that leverage the threat of public '
'exposure. Attackers now prioritize stealing sensitive data to '
'pressure victims into paying ransoms, knowing that leaks can '
'trigger severe financial, legal, and reputational damage.',
'impact': {'brand_reputation_impact': 'Severe reputational damage',
'data_compromised': ['Customer records',
'Financial details',
'Intellectual property',
'Internal documents',
'Bid documents',
'Contracts',
'Financial forecasts'],
'financial_loss': '$5.08 million (average), exceeding $10 million '
'for large-scale breaches',
'legal_liabilities': ['Fines', 'Lawsuits']},
'initial_access_broker': {'reconnaissance_period': 'Automated (as little as '
'72 minutes from initial '
'access to data theft)'},
'lessons_learned': 'Organizations need to bolster early detection '
'capabilities, expand security strategies beyond '
'ransomware defenses, and prioritize SaaS access controls, '
'phishing-resistant authentication, continuous leak '
'monitoring, and faster incident response.',
'motivation': ['Financial gain', 'Extortion'],
'post_incident_analysis': {'root_causes': ['Improved backups and recovery '
'systems reducing encryption '
'impact',
'Enhanced endpoint protection '
'making file hijacking less '
'effective',
'Regulatory pressures increasing '
'the potency of data leaks',
'Rapid data exfiltration allowing '
'attackers to bypass encryption']},
'ransomware': {'data_encryption': '78% of incidents (down from over 90% in '
'prior years)',
'data_exfiltration': 'Primary focus of attacks'},
'recommendations': ['Bolster early detection capabilities',
'Expand security strategies beyond ransomware defenses',
'Prioritize SaaS access controls',
'Implement phishing-resistant authentication',
'Enhance continuous leak monitoring',
'Improve incident response speed'],
'references': [{'source': 'Palo Alto Networks’ 2026 Global Incident Response '
'Report by Unit 42'}],
'regulatory_compliance': {'fines_imposed': 'Potential fines due to data leaks',
'legal_actions': 'Lawsuits'},
'response': {'enhanced_monitoring': 'Continuous leak monitoring, faster '
'incident response'},
'threat_actor': ['Bling Libra (ShinyHunters)', 'Hazy Scorpius (CLOP)'],
'title': 'Ransomware Evolves: Data Theft and Extortion Take Center Stage in '
'2025 Cyberattacks',
'type': ['Data Theft', 'Extortion'],
'vulnerability_exploited': ['Vulnerabilities in enterprise platforms like '
'Oracle EBS',
'Phishing']}