Good-bye encryption-based ransomware attacks: Cybercriminals adjust their tactics

In response to companies beefing up their data back-up systems, cybercriminals have adjusted by bypassing data encryption altogether and simply stealing data directly — issuing extortion threats based on promises to suppress the release of the stolen data.

“Organizations must move from recovery-focused strategies (backups and incident response) to prevention-focused strategies (data loss prevention, zero trust architecture, encryption at rest, and identity containment,” says the Resilience 2025 Cyber Risk Report.

The report shows the percentage of extortion-only attacks rose from 49% in the first half of 2025 to 65% in the second half of last year. Resilience, a San Francisco-based cyber risk company, says the extortion-only attack vector, without data encryption, may represent the majority of extortion incidents by the end of 2026.

It’s a matter of cybercriminals quickly shifting tactics, based on the rise of data back-up and recovery protection as a way to prevent data encryption threats.

“As authorities successfully disrupted major ransomware operations and organizations improved backup capabilities, threat actors adapted by simplifying their approach: steal data, threaten to publish it, collect payment,” the report says. “No need for complex encryption tools, no need to maintain decryption infrastructure, and critically, no way for victims to recover through security operations alone.”

Sometimes, threat actors will steal the data, demand a ransom in exchange for suppressing publication of the data, collect the ransom, and then publish the data anyway.

Which leads to a long-tail claim with increasing severity, because class action lawyers will sue the hacked company, arguing that the company just paid cybercriminals a ransom and paid the victim claimants nothing.

“This legal pressure, combined with the ‘no honor among thieves’ reality — where threat actors continued selling data they were paid to suppress — makes the tail risk on ransom events a growing underwriting concern,” the Resilience report states.

Also in the news: Why size matters in Canada’s soft commercial market

The cybercriminals’ shifting tactics means their targets are shifting as well. They are going after business sectors where the exposure of data would lead to reputational damage and costly regulatory intervention.

Three business sectors — health care, manufacturing, and retail — accounted for 68% of all portfolio losses, the report notes. Although each business vertical showed different cyber attack patterns and outcomes.

Healthcare remains the highest-severity sector, the report notes, even though the frequency of data theft is low.

“The per-incident impact is more extreme due to the high concentration of sensitive data,” the report notes. “Electronic Health Records (EHR) hold long-term criminal value far exceeding credit cards on dark web markets, while life-critical operations create extortion leverage that few other industries face.”

Manufacturing, on the other hand, was most frequently attacked, although the severity declined by 29% between 2024 and 2025.

Why innovative customer experience will define the future of personal auto insurance Image

Insights Paid Content

Why innovative customer experience will define the future of personal auto insurance

Technology is helping insurers reimagine how they support personal auto customers — and it starts the moment a collision is reported, say experts at Accident Support Services International.

By 

Sponsor Image

“The persistence of manufacturing as the top target reflects fundamental vulnerabilities: just-in-time supply chains create extortion pressure as every hour of downtime disrupts customer deliveries, antiquated systems and deficiencies in IT/OT security, and downstream partners demand rapid restoration to maintain their own operations,” Resilience’s report states.

Retail suddenly went up from almost “zero material losses” in 2024 to become the second-highest average severity in the portfolio.

“This dramatic escalation was driven almost entirely by Scattered Spider’s May 2025 campaign targeting major U.K. retailers (Marks & Spencer, Co-op, Harrods) before spreading to U.S. retailers (Victoria’s Secret, Adidas),” the report states. “The M&S incident exemplified the devastating impact: 45 days to recover online ordering functionality, with losses exceeding ₤40 million (roughly $74 million per week….

“The attack exposed sector-wide vulnerabilities: under-resourced security teams relative to IT complexity, heavy dependence on third-party payment and e-commerce systems, and massive volumes of customer data.”

David Gambrill

David has twice served as Canadian Underwriter’s senior editor, both from 2005 to 2012, and again from 2017 to the present.