⌘ K
Partner with us
Insights
All insightsResourcesAboutTalk to usPartner with us

Ransomware Stopped Encrypting Your Files. That's the Bad News.

Modern ransomware now focuses on data theft, extortion, leaks, and business disruption, making traditional backup-only defenses less effective.

6 min read

Ransomware Stopped Encrypting Your Files. That's the Bad News.
RANSOMWARE · CYBERSECURITY

You spent a decade learning to recover. Attackers responded by changing the question. The threat is no longer "you can't get your data back." It's "everyone else is about to get a copy."


The ransomware playbook that defined the last decade had a clean logic. Lock the files, demand payment for the key, collect. Defenders eventually found the counter: rigorous, tested, immutable backups. If you could restore, you could refuse to pay. The industry built an entire posture around that single insight, and it worked well enough that the numbers started moving in the right direction.

Then the economics turned. Ransom payments fell roughly 35 percent in 2024, dropping to about $813.55 million from a 2023 record near $1.25 billion, according to Chainalysis. The share of victims who paid fell to around 28 percent in 2025. Average payments dropped to roughly $1 million that year, about half the prior year's $2 million, with the median far lower at around $115,000. Read superficially, that looks like a win. It is not. It is a market signal, and the attackers read it before most boards did.

When fewer people pay to get their files back, the people who steal files for a living do the obvious thing. They stop selling the key and start selling your silence.

Encryption was always the means, not the point

Double extortion has been the norm for a while now. Around 87.6 percent of ransomware claims involve both encryption and data exfiltration. But the encryption half of that pair is becoming optional. SentinelOne and other researchers flag a clear move toward encryption-less extortion: steal the data quietly, skip the noisy lockup entirely, and threaten to leak unless paid. No alarms tripping as drives encrypt. No restoration race. Just a calm message that says we have your customer records, your contracts, your unannounced acquisition, and we will publish on a timer.

This reframes ransomware as something it was never really about: it becomes a data-protection and privacy incident wearing an old name. And it quietly demolishes the value of the control we spent years perfecting. A flawless backup answers exactly one question. It restores availability. Against a pure-leak threat, availability was never in danger.

A decade of "back up everything" advice solved availability beautifully. The new attacks don't touch availability. Your perfect restore is a fire extinguisher aimed at a flood.

The proof of where this is heading came from the attackers themselves. When the LockBit operation was disrupted, investigators found it had retained stolen data regardless of whether victims paid. The promise to delete was never real. Which means even organizations that paid the old encryption ransom were already exposed to the new one, and the payment bought them nothing but a forged receipt.

The control that mattered no longer matters

It is worth naming the contrarian point plainly, because it cuts against orthodoxy that is still being preached. "Back up everything" was correct advice for the wrong threat. It made you resilient to losing access to your data. It did precisely nothing to make you resilient to your data being copied and published. Those are different problems with different controls, and the second one was largely ignored while everyone congratulated themselves on their recovery point objectives.

Visual 1 — How the ransomware model shifted

Dimension

Old model: encrypt + ransom

New model: exfiltrate + extort

What is attacked

Availability of your systems

Confidentiality of your data

Do backups help?

Yes — restore and refuse to pay

No — the data is already copied and gone

What payment buys

A decryption key (verifiable)

A promise to delete (unverifiable)

Key control

Immutable, tested backups

Data minimization, encryption at rest, exfil detection

How it feels

Loud — systems lock, alarms fire

Quiet — data leaves before anyone notices

How to read it: Every defensive assumption that made backups the answer flips in the right-hand column. When the attack targets confidentiality rather than availability, restoration is irrelevant and the only leverage is reducing what can be stolen and detecting it leaving.

The cost picture has not softened to match the falling payments. Average total incident cost still runs between roughly $1.8 million and $5 million once you fold in investigation, legal exposure, regulatory notification, and the slow bleed of customer trust after a leak. Paying the ransom was never the expensive part. The expensive part is what happens after your data is in someone else's hands, and that bill arrives whether you pay or not.

What this means for leaders

Move your defensive center of gravity from recovery to exposure. The questions that mattered last decade — how fast can we restore, how clean are our backups — are necessary but no longer sufficient. The questions that matter now are different: how much sensitive data do we actually hold, where is it, and would we even notice it leaving the building. Reorient your security investment accordingly, because a leak you cannot detect is a leak you cannot price.

Treat data minimization as a security control, not a compliance chore. The single most effective defense against a leak-based extortion is having less worth leaking. Every dataset you retain past its usefulness, every copy nobody remembers, every export sitting in a forgotten bucket is unpriced extortion leverage handed to an attacker. Aggressive retention discipline and encryption at rest shrink the blast radius before the attack ever begins.

Decide your leak-extortion posture now, in calm conditions, not at 2 a.m. during an incident. Because paying buys only an unverifiable promise to delete — and LockBit demonstrated that promise is worthless — your default answer should be near-settled before the demand lands. Brief your board that recovery readiness and breach readiness are now separate disciplines, and that being able to restore says nothing about whether you can survive what gets published.

The falling ransom numbers are not the industry winning. They are the sound of a business model adapting to defenders who finally got good at the old game. Attackers conceded the territory we defended well and moved to ground we never fortified. The files are safe. The secrets are not, and the secrets were always the point.


A BusinessInfomatics original. Drawn from Chainalysis crypto-crime data, TechTarget reporting, and SentinelOne and Securelist 2026 ransomware analysis.

Tagged

#ransomware#cybersecurity#data-theft#business-risk#threat-intelligence