Ransomware hackers say NO to Data Exfiltration and YES to Encryption – Cybersecurity Insiders

Ransomware operators appear to be recalibrating their tactics, with a noticeable shift away from large-scale data exfiltration and toward a renewed emphasis on file encryption. According to a study conducted by incident response firm Coveware, only well-established cybercriminal syndicates—such as Clop, LockBit 3.0, and Qilin—continue to systematically employ “double extortion” strategies. In double extortion campaigns, attackers both encrypt victim systems and exfiltrate sensitive data, threatening public disclosure if ransom demands are not met. In contrast, smaller or less sophisticated groups are increasingly focusing solely on encryption-based attacks.
The research suggests that many emerging ransomware actors initially adopted data exfiltration after observing its apparent success among major gangs. However, exfiltration introduces additional operational complexity, including data staging, secure transfer, storage infrastructure, and management of leak sites on the dark web. When victims refuse to pay—or when negotiations collapse—these actors incur sunk costs related to infrastructure and exposure risk without guaranteed financial return. As a result, some groups appear to be reverting to encryption-only models, which require fewer resources and present a narrower operational footprint.
Another factor influencing this shift is the declining market value of stolen data. Buyers on underground marketplaces increasingly scrutinize datasets before purchase, often using automated validation tools to assess accuracy, recency, and uniqueness. Industry analysis indicates that a substantial proportion—reportedly up to 78%—of exfiltrated datasets are deemed low-value or redundant. Much of the data originates from previously compromised or publicly dumped databases, which can be acquired in bulk for relatively low prices. Such datasets frequently contain outdated personally identifiable information (PII), including names, email addresses, phone numbers, and location data. As supply saturates the market, marginal utility declines, reducing the economic incentive for exfiltration-centric campaigns.
From the victim’s perspective, ransom payment does not eliminate regulatory, legal, or reputational risk. Data protection frameworks such as GDPR and other breach notification laws impose obligations regardless of ransom settlement. Moreover, there is no technical guarantee that attackers will delete exfiltrated data or refrain from future exploitation. This uncertainty weakens the coercive leverage of double extortion.
Improved defensive maturity also plays a role. Heightened media coverage, structured cybersecurity awareness training, adoption of zero-trust principles, and investment in disaster recovery and immutable backup solutions have strengthened organizational resilience. Additionally, coordinated efforts by law enforcement agencies—including the FBI, CISA, and the UK’s NCSC—have disrupted infrastructure, tracked cryptocurrency flows, and occasionally seized leak sites. These actions increase operational risk for attackers engaging in data theft and publication.
Despite these developments, ransomware remains financially lucrative. Coveware reports that the average ransom payment rose to approximately $600,000 in the fourth quarter of 2025, up from $325,000 in the previous year’s third quarter. This increase underscores that while tactics may evolve, the ransomware threat landscape continues to present significant financial and operational risk to organizations worldwide.

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.