Ransomware Attacks Now Steal Data Rather Than Just Encrypt It

With Russia-affiliated groups like LockBit resurfacing and new threat actors such as BlackLock—the world’s fastest-rising ransomware operation—enterprises must recognize that ransomware has evolved into a more dangerous and ruthless form of cybercrime. These groups are willing to target critical sectors, including healthcare, with devastating consequences.

A February 26 report from Arctic Wolf reveals that 96% of all reported ransomware incidents in 2024 involved data exfiltration, as attackers increasingly rely on double extortion tactics to maximize pressure on victims.

Double Extortion: The New Norm The report highlights that double extortion—stealing data before encrypting it—has become the standard rather than the exception. This shift is a direct response to organizations improving their backup and recovery capabilities and gaining a better understanding of ransomware threats.

Kerri Shafer-Page, vice president of incident response at Arctic Wolf, explained: “Threat actors are no longer just locking up data with ransomware; they’re stealing it first to maximize pressure on victims.” This tactic not only increases the likelihood of ransom payments but also ensures a steady revenue stream for these organized criminal operations.

The Ransomware Landscape: A Modern-Day Hydra The Arctic Wolf report likens the ransomware landscape to the Hydra of Greek mythology, where cutting off one head results in two more taking its place. The ransomware-as-a-service (RaaS) model has democratized access to ransomware tools, intrusion techniques, and compromised IT environments—often facilitated by initial access brokers (IABs). This has created a long tail of threat actors, all vying for a share of the lucrative cybercrime market.

In 2024 alone, Arctic Wolf analysts observed more than 50 unique ransomware threat actors in victim environments. The report notes, “When a ransomware operation ceases to exist—whether due to law enforcement actions, infighting, politics, or retirement—other groups, both new and old, quickly fill the void.”

Implications for Enterprises The rise of double extortion and the proliferation of ransomware groups underscore the need for organizations to adopt a proactive and multi-layered defense strategy. Key measures include:

Strengthening Backup and Recovery Systems:

Ensure backups are secure, regularly tested, and isolated from the main network.

Enhancing Detection and Response Capabilities:

Deploy advanced threat detection tools and establish an incident response plan.

Educating Employees:

Train staff to recognize phishing attempts and other common attack vectors.

Implementing Zero Trust Architecture:

Limit access to critical systems and data to only those who need it.

Conclusion The ransomware threat landscape continues to evolve, with data theft becoming a core component of attacks. As threat actors grow more sophisticated and resilient, organizations must prioritize cybersecurity measures that go beyond traditional defenses. By adopting a proactive approach and staying informed about emerging threats, businesses can better protect themselves against the growing menace of ransomware.