Ransomware's Return to Encryption
KEY STATISTICS
<2.5% MOVEit victims who paid ransom | ~25% Accellion victims who paid (2021) | ~0% Paid in Cleo & Oracle EBS breaches |
For a few years, ransomware groups seemed to have found a smarter play: steal data, skip the encryption, and watch the ransom payments roll in. It worked brilliantly — until it didn’t. Now, with extortion-only economics in freefall, threat actors are returning to the double-threat model that made them so feared in the first place.
How the Shift Happened
The data-exfiltration-only playbook was popularized by Cl0p, a group that turned zero-day exploitation into an assembly line. The formula was elegant in its simplicity: find a critical vulnerability in a widely-used enterprise file transfer or storage product, exploit it at scale before anyone could patch, siphon data from as many victims as possible, and demand silence money.
In 2021, this approach paid off spectacularly. During the Accellion campaign, Cl0p breached dozens of organizations and roughly a quarter of them paid up. The group repeated the trick with GoAnywhere MFT, where about one in five victims settled. These weren’t small scores — the group likely cleared tens of millions of dollars without ever deploying a single encryption payload.
Other groups took notice. Why bother with the complexity of encryption, the risk of detection during file-locking operations, and the messy negotiation over decryption keys? Just steal the data and threaten to publish it.
“The bullet points on the ‘pro’ side of the white board are getting increasingly scarce, while the cons side is getting crowded.” — Coveware, Q4 2025 Ransomware Trends Report |
When the Money Dried Up
The MOVEit campaign — Cl0p’s largest and most audacious operation — was also the beginning of the end for the extortion-only model. The attack hit hundreds of organizations across government, finance, and healthcare. But when the ransom demands came, victims largely refused to pay. Less than 2.5% complied. In the subsequent Cleo and Oracle E-Business Suite campaigns, the rate collapsed further — approaching zero.
The reason isn’t hard to understand. Enterprises have grown more sophisticated in assessing what a ransom payment actually buys. When encryption is involved, paying at least restores access to locked systems. But paying to suppress leaked data offers no such guarantee. The attackers retain the data regardless. They might sell it, recycle it in future attacks, or simply fail to honor any agreement — and there’s no enforcement mechanism for victims to lean on.
The Shiny Hunters extortion group experienced the same rude awakening, according to Coveware, after attempting to replicate Cl0p’s approach. The math simply stopped working.
Most Active Groups in Q4 2025
Akira ~14% of activity | Qilin ~13% of activity | Lone Wolf ~12% of activity |
Who’s Getting Hit
Ransomware attacks in Q4 2025 were not evenly distributed. Professional services firms bore the heaviest load at nearly 19% of all attacks. Healthcare came in second at over 15%, a perennial target due to its operational urgency and often strained security budgets. Technology, software, and consumer services rounded out the most targeted sectors.
SECTOR | SHARE OF ATTACKS | % |
Professional Services | ■■■■■■■■■ | 18.92% |
Healthcare | ■■■■■■■■ | 15.32% |
Consumer Services | ■■■■■ | 9.01% |
Technology Hardware | ■■■■■ | 9.91% |
Software Services | ■■■■ | 7.21% |
What the Pivot Back Means for Defenders
The return to encryption-plus-exfiltration attacks is, in a sense, good news: organizations now have more warning indicators to look for. Encrypting files across a network is a noisy operation. Good endpoint detection and response (EDR) solutions, behavioral analytics, and network monitoring give defenders a fighting chance to catch attackers mid-operation.
But the combined threat model is also more consequential when it succeeds. Organizations must now contend simultaneously with system outages — creating immediate pressure to pay — and with the ongoing risk that stolen data surfaces on dark web leak sites regardless of whether a ransom is paid. That dual leverage was always ransomware’s most potent weapon, and it’s back.
Coveware’s analysis offers a pointed observation: every refused ransom payment chips away at the economics that sustain these operations. Improved prevention, tighter incident response, and the maturity to resist extortion collectively make ransomware less profitable — and less frequent.
KEY TAKEAWAYS FOR SECURITY TEAMS
- Extortion-only attacks are yielding diminishing returns — expect more groups to reintroduce encryption for additional leverage.
- Paying ransom to suppress data release offers no reliable guarantee; enterprises are right to weigh this carefully.
- Professional services and healthcare remain the top ransomware targets by volume in Q4 2025.
- Behavioral detection and EDR are more critical than ever as encryption-based attacks return to prominence.
- Disciplined incident response — including the decision whether to pay — directly erodes attacker economics across the ecosystem.
The takeaway isn’t that ransomware is getting easier to deal with. It’s that the cat-and-mouse dynamic is accelerating. Defenders adapted to double extortion; attackers countered with data-only theft; now they’re reverting as that tactic loses teeth. Understanding this cycle — and staying a step ahead — is the work of modern security operations.
Adapted from SecurityWeek / Coveware Q4 2025 Ransomware Trends Report — March 2026
Can you prove your recovery points are clean?
Your board will ask if you can recover clean. This checklist lets you answer with evidence.
