Dive Brief:
- Data-only extortion attacks surged elevenfold over the past year, according to a report that the security firm Arctic Wolf released on Tuesday, illustrating how ransomware gangs are capitalizing on businesses’ fears of reputational damage.
- In 22% of cases that Arctic Wolf responded to between November 2024 and November 2025, hackers only threatened to expose stolen data, rather than to leave it encrypted — a significant increase from the prior period, when only 2% of cases unfolded that way.
- Arctic Wolf’s report also detailed hackers’ most common intrusion techniques, offering a warning to businesses about which of their systems could be the most vulnerable.
Dive Insight:
The increase in data-only ransomware attacks — a trend that other firms have also reported — reflects a change in hackers’ motivations, according to Arctic Wolf. “It now appears that some threat actors … have begun abandoning encryption altogether to focus purely on data exfiltration and extortion in hopes of better net returns,” the company said.
Ransomware accounted for 44% of Arctic Wolf’s incident-response engagements during the period covered in the report. The manufacturing sector bore the brunt of the attacks, followed by law firms, schools, financial institutions and health-care organizations.
Ransomware gangs have increasingly adopted affiliate models to generate more revenue, reduce expenses and “attract and retain a broader pool of cybercriminals,” according to Arctic Wolf. The result, the company said, was “a more competitive and interconnected ecosystem,” with hackers moving seamlessly between groups and the brand names of individual gangs mattering less.
The evidence suggests, however, that law-enforcement takedowns have significantly diminished once-popular gangs such as LockBit, ALPHV/BlackCat and BlackSuit, according to the report.
Hackers also have continued to find success with business email compromise (BEC) schemes, which accounted for 26% of Arctic Wolf’s case load. Those attacks primarily targeted financial and legal organizations. Arctic Wolf reported a “fairly steady flow” of BEC incidents throughout the year, with a dip in May and a surge in June and July. “These fluctuations suggest that threat actors time campaigns strategically to align with organizations’ financial cycles, world and cultural events, or high-volume transaction periods (such as holidays) when oversight may be reduced,” the researchers wrote.
Email phishing remained the most popular form of initial access in BEC cases, accounting for 85% of the cases that Arctic Wolf investigated. While those cases involved new credential theft, roughly one in 10 cases involved hackers abusing previously compromised credentials.
Outside of BEC cases, hackers overwhelmingly favored attacks on remote-access tools, including the Remote Desktop Protocol, remote monitoring and management software and popular VPNs. Roughly two-thirds of Arctic Wolf’s non-BEC cases involved remote-access compromises, the company said. That number has steadily increased since three years ago, when it was just 24%.
Only 11% of cases during the annual reporting period involved the exploitation of known vulnerabilities, compared with 29% during the prior year.
“Whether through rampant credential reuse or potentially devastating exploitation, threat actors are demonstrating a high level of automation and operational maturity, at times achieving full domain compromise within minutes of gaining access,” Arctic Wolf researchers wrote.
