Cybercriminals Pivot to Data Theft Extortion: A Shift in Tactics
Recent research from cyber insurer Resilience has revealed a significant transformation in the tactics employed by cybercriminals, particularly highlighting an alarming trend away from traditional ransomware methods. In an analysis covering the latter half of 2025, it was found that a substantial 65% of extortion claims did not involve encryption—up from 49% in the earlier half of the year. By December of that year, only 13% of the examined cases utilized encryption to demand ransom, while a staggering 87% of these ransomware-related insurance claims stemmed solely from data theft.
This shift indicates a fundamental change in how attackers operate. Historically, ransomware attacks involved encrypting a victim’s data and then promising to provide a decryption key upon payment. This created a black-and-white transaction—a clear exchange where victims could ascertain their potential recovery. In stark contrast, modern extortion attacks revolve around the threat of publishing, selling, or disseminating stolen information. Victims are coerced into paying for an unverifiable promise: the assurance that their compromised data will be deleted. This new tactic complicates the decision-making process for organizations under threat, as the risks associated with payment are heightened.
Data from Resilience further illustrates the limited effectiveness of yielding to extortionists. Among organizations that opted to pay ransoms in hopes of preventing data leaks, 30-40% ultimately still experienced their information being published or disseminated. In contrast, entities that decided against payment did not fare significantly better, facing leak rates of 40-50%. The narrow margin between these outcomes, alongside evidence suggesting that paying ransoms may actually mark organizations for subsequent attacks, bolsters arguments against capitulating to extortion demands. Jud Dressler, director of the Resilience Risk Operation Centre, noted that organizations are essentially financing an untrustworthy promise from criminals, pointing out the lack of honor among thieves.
The scale of this threat is growing at an alarming rate. A report issued in January 2025 documented nearly 1,500 data theft extortion incidents, a stark contrast to just 28 the year prior. Such a dramatic increase has compelled organizations—along with their insurers—to revisit and re-evaluate both their prevention strategies and frameworks for incident response. The financial ramifications of such attacks extend well beyond immediate ransom payments. Organizations must also contend with potential regulatory penalties, legal costs, customer attrition, and the long-term impact on their reputations.
In light of these evolving threats, Resilience advocates that organizations focus on prevention rather than recovery. They recommend implementing data loss prevention technologies and adopting zero trust architectures, which can significantly mitigate exposure resulting from compromised credentials. Businesses are encouraged to formulate decision-making frameworks ahead of potential incidents, including pre-arranged legal counsel and incident response teams with clearly defined authority for payments. Additional proactive measures suggested by Resilience include storing insurance policy documents outside of primary networks, conducting tabletop exercises to evaluate responses to extortion scenarios involving legal and executive teams, and meticulously tracking the financial consequences of both paying and refusing ransom demands to guide future decision-making.
As cybercriminal tactics continue to evolve, it becomes increasingly vital for organizations to adopt a strategic approach to cybersecurity. The shift towards data theft extortion not only complicates the landscape for victims but also underscores the need for comprehensive preventive measures. Building a robust security framework is essential, allowing organizations to better navigate the complexities of modern cyber threats while safeguarding their data and reputations in an increasingly hostile digital environment. The reality is that, as the landscape of cybercrime transforms, preparedness and prevention must take center stage in any organization’s risk management strategy.