Google is warning that ransomware gangs are reinventing their business model as traditional encryption‑for‑ransom attacks become less profitable and data‑theft extortion surges.
Better cybersecurity controls, improved backup strategies, and stronger recovery capabilities mean more victims can restore their systems without paying, directly eroding criminal revenue.
Public reporting also shows that both ransom payment rates and average demand amounts have dropped in the last two years, pushing operators to compensate by increasing pressure on victims.
At the same time, the number of posts on ransomware data leak sites (DLS) hit a record in 2025, with nearly 50% more victim listings than in 2024.
According to Google’s Threat Intelligence Group and Mandiant incident response data, multiple indicators show that overall ransomware profitability is declining, even as the volume of extortion operations remains high.
These shaming sites mainly expose organizations that refuse to negotiate or pay, so the spike in listings likely reflects both falling payment rates and a deliberate pivot toward reputational damage as leverage.
Shift to Data Theft Extortion
Google reports a sharp rise in intrusions where attackers steal data before, or even instead of, deploying ransomware.
In 2025, about 77% of analyzed ransomware incidents included suspected or confirmed data theft, up from 57% in 2024.
FUNKSEC was the highest volume DLS; however, many of the associated incidents appeared to be lower impact events involving compromising websites for data theft extortion.
Some ransomware‑as‑a‑service (RaaS) programs now explicitly offer “data‑theft‑only” options alongside traditional lockers, signalling demand from affiliates who see pure extortion as lower risk and more reliable for monetization.
Threat actors are systematically targeting legal, HR, accounting, business development, and cloud collaboration platforms such as SharePoint and Microsoft 365 to find high‑impact, high‑leverage data.
Tools like Rclone, MEGASync, WinRAR, 7‑Zip, FileZilla, and WinSCP are routinely abused to stage and exfiltrate archives to attacker‑controlled infrastructure and cloud storage accounts on Azure, AWS, MEGA, OneDrive, and others.
Yet the dominance of long-standing Qilin and Akira brands in 2025 demonstrate the resilience of ransomware actors and their ability to fill voids following takedowns and exit scams of competing RaaS operators.
In some cases, scripts automatically compress and upload specific file types to services such as MEGA and Azure Blob Storage to streamline extortion‑ready data theft at scale.
Facing stronger defenses at large enterprises, many ransomware crews are shifting their focus to smaller organizations with weaker security maturity.
Analysis of data leak site victims shows a growing proportion of targets with fewer than 200 employees, and actors themselves have commented in leaked chats that smaller networks can be more profitable overall.
Technically, operators continue to rely heavily on exploiting edge infrastructure VPNs and firewalls from vendors such as Fortinet, SonicWall, Palo Alto, and Citrix as well as misconfigured remote access, credential theft, and brute‑force attacks for initial entry.
They are also increasingly targeting virtualized environments, with about 43% of 2025 ransomware intrusions involving ESXi or other virtualization platforms, often with automated scripts to change root passwords, enable SSH, shut down VMs, delete backups, and then deploy payloads such as BABUK‑based variants or RIFTTEAR.
Adapting with AI and Web3
To maintain resilience against takedowns and improve operational efficiency, some groups are experimenting with Web3 and AI.
UNC5833 gained access from an initial access partner who impersonated a helpdesk user to social engineer an employee via a Microsoft Teams chat session to install Quick Assist.
Certain RaaS offerings claim to host negotiation portals on blockchain‑based infrastructure or smart contracts to withstand takedowns and avoid Tor dependence.
Others advertise AI‑assisted features to profile victims, guide negotiation strategy, or optimize messaging, aiming to squeeze maximum payment from fewer successful intrusions.
Despite law‑enforcement disruptions that hit major brands like LockBit, ALPHV, and RansomHub, established RaaS lines such as Qilin and Akira quickly filled the vacuum, and 2025 still recorded more victims than any previous year.
Google warns that while classic “encrypt‑and‑restore” ransomware remains a dominant operational threat, the economic pivot toward large‑scale data theft and multi‑layered extortion will likely intensify in 2026, especially against smaller organizations that lack robust backup and incident‑response capabilities.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
