There was a time when ransomware was loud. Attackers wanted you to know they were inside. Screens turned red, files were encrypted, and ransom notes appeared everywhere. The strategy was volume: infect as many machines as possible, demand payment from as many victims as you could reach, and move on.
That playbook is changing. Today, a growing number of ransomware operators are doing the opposite. They are choosing fewer targets, moving more quietly, and causing significantly more damage when they finally strike. In 2025, researchers at Seqrite Labs, India’s largest malware analysis facility, recorded 265.52 million detections across over 8 million endpoints, averaging 505 detections every minute. Yet within that noise, the more worrying trend is the shift towards stealth – towards low-volume, high-impact campaigns designed for persistence rather than disruption.
What changed is not the technology alone. It is the economics. Attackers realised that mass-scale encryption draws attention. It triggers incident response, law enforcement involvement, and public scrutiny. A quieter approach that leverages silent infiltration, long-term reconnaissance, and selective deployment against high-value targets produces better returns with lower risk.
How these attacks work
The modern ransomware operator behaves less like a vandal and more like a patient intruder. Initial access is typically through credential theft, phishing, or an unpatched vulnerability. Instead of encrypting immediately, the attacker moves laterally, maps the network, identifies critical systems, and exfiltrates sensitive data over weeks or months.
When the payload is finally deployed, it is surgical. It hits operational choke points such as active directory servers, backup systems, customer databases, or supply chain nodes, where encryption causes maximum business disruption. Because the attacker has already stolen data, the threat extends beyond downtime. It becomes double extortion: pay for decryption, or we leak what we took.
This is why recovery has become harder. Organisations are not just restoring from backup. They are managing data breaches, regulatory notifications, customer trust erosion, and in some cases, physical operational shutdowns. The attack surface has not grown only in size; it has grown in interconnectedness. One compromised vendor or cloud workload can cascade into a broader compromise that takes days or weeks to fully contain.
Cryptojacking and the stealth monetisation trend
Running parallel to this is another quiet trend: cryptojacking. Attackers hijack enterprise computing resources to mine cryptocurrency, often without the organisation knowing for months. There is no ransom note, no visible disruption; just degraded performance, inflated cloud bills, and an unexplained strain on infrastructure.
What makes cryptojacking significant is what it signals. It means the attacker has access. It means they have found a gap, established persistence, and are comfortable enough to remain inside without triggering alarms. That same access can be repurposed for data theft, surveillance, or a future ransomware deployment. It is a low-risk foothold that can escalate at any time.
Together, selective ransomware and cryptojacking reflect a broader transformation in cybercrime economics. The goal is no longer disruption for its own sake. It is silent monetisation: extracting value from compromised infrastructure over time, with minimal visibility.
What organisations need to do differently
The uncomfortable truth is that many ransomware groups now operate with the discipline of startups: playbooks, tooling, support channels, and revenue goals. Meanwhile, a lot of organisations still treat security as an afterthought, or as a checklist for audits. That imbalance is exactly what low-volume, high-impact attackers are exploiting.
The answer is not to chase perfection. Breaches will happen. Credentials will leak. A supplier will get compromised. The real test is how resilient the organisation is when – not if – something breaks.
In practice, that means a few mindset shifts:
- From “Can we block every attack?” to “How quickly can we detect and contain abnormal activity?”
- From perimeter controls to continuous visibility across identities, endpoints, networks and data.
- From static backups to tested recovery plans that assume part of the environment is already hostile.
- From treating ransomware as an IT issue to treating it as a business continuity and board-level risk.
Low-volume, high-impact ransomware is a reminder that cybercrime has finished its transition from prank to profession. The volume may no longer look alarming at first glance. The damage certainly does. There is an urgent need to look beyond the firewall, because digital risk now lives on fake domains, scam apps, impersonated social profiles and leaked credentials. Digital Risk Protection Services (DRPS) are becoming essential to monitor that external footprint and take down threats before they ever reach the corporate network.
Organisations that will survive this phase are not the ones with the loudest security slogans. They are the ones that quietly build resilience into every layer, treat security as part of strategy, and assume that somewhere, someone is already testing their defences.
Disclaimer: The views expressed in this article are those of the author/authors and do not necessarily reflect the views of ET Edge Insights, its management, or its members.
