Ransomware groups are reconsidering their strategies as data theft proves less effective in extorting victims. According to a recent report by Coveware, cybercriminals may increasingly turn back to data encryption to reclaim leverage in their attacks.
Shift from Data Theft to Encryption
Initially, prominent groups like Cl0p found success with data-exfiltration-focused attacks, targeting enterprises without encrypting their data. This method, which involved exploiting vulnerabilities in popular enterprise solutions such as MOVEit and Oracle E-Business Suite, initially yielded significant ransom payouts.
However, the success rate has diminished over time. Coveware highlights that less than 2.5% of those affected by the MOVEit breach opted to pay, compared to higher payment rates in earlier campaigns like the Accellion hack, where over 25% of victims paid. This decline is attributed to increased enterprise awareness regarding the limited benefits of paying ransoms.
Financial Results and Changing Tactics
The diminishing returns from data theft have led groups like Shiny Hunters to adopt similar tactics, albeit with disappointing financial outcomes. In high-profile cases involving companies like Snowflake and Salesforce, ransom payments were scarce.
Coveware anticipates a return to data encryption as a more effective method for extorting victims, given its historical success in driving ransom payments. Encryption disrupts business operations more significantly, providing cybercriminals with greater leverage.
Trends in Ransom Payments
Despite a low willingness to pay ransoms, the average payment amount surged to approximately $600,000 in the fourth quarter of last year, reflecting isolated incidents where businesses prioritized decryption to restore operations swiftly.
These high-value incidents, however, do not indicate a widespread increase in payment willingness. Instead, they underscore the challenges small and mid-sized businesses face, as evident by the median payment amount of $325,000.
Ransom payments accounted for around 20% of incidents in late 2025, driven by the impact of specific attacks rather than a broad resurgence in payment trends.
Resilience and Future Outlook
Organizations are demonstrating increased resilience against encryption-based ransomware attacks, often restoring operations without succumbing to ransom demands. Nevertheless, ransomware activity remains robust, with groups like Akira leading the charge with 14% of observed attacks in the last quarter.
Coveware’s report notes that sectors such as professional services, healthcare, and technology are frequently targeted. Each avoided ransom payment undermines the cyber extortion ecosystem, emphasizing the importance of improved prevention and strategic response in eroding attacker economics.
As ransomware groups adapt to these challenges, the cybersecurity landscape is poised for continued evolution, with organizations urged to bolster their defenses against both encryption and data theft threats.
