Estimated reading time: 5 minutes
Hackers are using encryption less often and are choosing data theft and extortion instead. A new white paper, “Ransomware 2026,” from Symantec and the Carbon Black Threat Hunter Team, tracks this shift. Released on January 14, the report connects the change to higher profits, faster operations, and less complexity for attackers.
Record High Counts Mask A Tactical Pivot
Ransomware leak sites reported 4,737 claimed attacks in 2025, a slight increase from 2024. The report calls 2025 “the highest ever” for the number of claimed attacks.
There were still some disruptions throughout the year. For example, attack numbers dropped in April after RansomHub shut down, but the decrease was brief, and attack volume quickly rebounded.
The main groups behind attacks also changed. LockBit and RansomHub, which were previously dominant, faded from prominence in 2025. Akira and Qilin became leading groups, each responsible for 16% of claimed attacks. Inc and Safepay had smaller roles at 6% each, while DragonForce accounted for 5%.
Encryptionless Extortion Pushes The Total Higher
The report distinguishes between encryption-based attacks and extortion events. It notes that encryption attacks remained “just above 4700” per year, but extortion cases increased when theft-only incidents were included.
When encryptionless extortion is counted, there were 6,182 extortion attacks in 2025, a 23% increase over 2024. The report highlights that “these attacks rely on only data theft as a lever for extortion.”
This trend matches current security realities. Many defenders can now stop attacks before ransomware is deployed, but attackers often access valuable data earlier. By stealing data, they can profit without needing to encrypt systems.
Snakefly Shows The Blueprint For Theft First
Snakefly, which is linked to Cl0p, helped make theft-first extortion more common by focusing on large-scale exploitation and data theft instead of encrypting endpoints.
MOVEit was a key example of this method. The report mentions U.S. government warnings that linked Snakefly to MOVEit attacks. It also references Coveware’s estimate of $75 million to $100 million in possible profits.
The report also notes that Snakefly later targeted Oracle E-Business Suite, exploiting CVE-2025-61882 since August 2025.
Telegram Collectives Industrialize Extortion
The report links the Oracle exploit to a leak pipeline, noting that “Scattered LAPSUS$ Hunters” shared attack scripts on Telegram. It also questions whether different groups are working together.
The report describes a larger trend of groups joining forces. Around August 2025, a collective formed and created at least 16 Telegram channels to promote “extortion-as-a-service (EaaS)” on a bigger scale.
This group also targeted identity and SaaS platforms. ShinyHunters attacked Salesforce accounts at several major brands. The report says attackers used vishing and fake OAuth approvals, pretending to be IT staff to trick victims. In one case, an attacker loader was linked to Salesforce.
This trend is important for cyber insurers. A SaaS breach can lead to privacy, regulatory, and contractual losses, and can result in high notification costs even if no servers are encrypted.
DragonForce Turns Ransomware Into A Services Stack
The report describes a shift in DragonForce’s operations. In April 2025, its operator altered the affiliate structure, according to SecureWorks: “DragonForce provides its infrastructure and tools, but affiliates are no longer obligated to use its ransomware, allowing them flexibility in conducting attacks.”
This approach fits the theft-first trend. Affiliates are allowed to use their own malware, but can still access leak sites, management panels, and negotiation tools. The report notes that DragonForce offered affiliates an 80% share of profits.
The report also links DragonForce to changes in the ransomware ecosystem. It states that RansomHub shut down in April 2025, and many affiliates then joined Qilin and DragonForce.
NEW PODCAST – Cyber Insurance Market: Proof, Data, And Underwriting With Max Perkins of Spektrum Labs
Warlock Signals A China-Based Ransomware Twist
The report points out Warlock as a unique new group. Warlock first appeared in June 2025, a few weeks after the ToolShell exploit in SharePoint. The report connects this activity to CVE-2025-53770 on July 19, 2025.
The report also says Warlock “appears to be used by a group based in China.” It notes that DLL sideloading was common in their activity, and researchers observed a custom command-and-control framework called “ak47c2.”
The payload details suggest a possible rebranding. Trend Micro observed Warlock adding “.x2anylock” extensions, and the Threat Hunter Team found ransom notes claiming to be from Warlock during these encryption attempts.
The report connects Warlock’s tools to older espionage tactics, including using BYOVD to disable security and deploying a renamed Baidu driver with a stolen certificate.
The report summarizes the broader risk: SentinelOne said some groups “blurred the lines between espionage and cybercrime.” It also notes that ransomware can be used to hide evidence of intrusions.
Attack Chains Lean On Legit Tools
The report emphasizes that most tools used in modern attacks are legitimate software. It adds that “malware is used sparingly,” and payloads usually appear only at the end of the attack chain.
In one case, DragonForce used tools like NetScan, Ntdsutil, and Rclone to steal data and gain access, and enabled RDP using PsExec.
The defense section reflects this reality by listing exfiltration tools like Rclone, AnyDesk, and Atera. It recommends monitoring these programs since they can be used for both legitimate and malicious purposes.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
What Insurers And Security Teams Should Watch
The move from encryption to data theft changes how claims are handled. Encryption leads to downtime and recovery costs, while theft-first extortion increases privacy liability and response expenses. It can also lead to more third-party claims after data leaks.
The report provides practical security advice: enable PowerShell logging and updates, restrict RDP access to known IPs with multi-factor authentication, and monitor dual-use tools.
The report also emphasizes the need for strong backup practices. It recommends keeping at least four weeks of backups off-site, maintaining offline backups on-site, regularly testing restores, and using strict permissions.
The report also recommends using layered security controls. SE Labs testing gave Symantec Endpoint Security Complete and Carbon Black Cloud “perfect AAA ratings.” The test blocked all attacks from 15 ransomware families and reported no false positives.
Related Cyber Liability Insurance Posts
- A New Front for AI & Cybersecurity: Aon Expands Cyber Insurance for the Data Centers that Make AI Possible
- Why Did the White House Decide NOT to Ban Ransomware Payments?
- Lawsuit Against KeyBank Harbinger of Emerging Cyber Liability Dynamics
- Report from Oregon: Cyber Insurance Rates Soar for Towns & Cities
- Feds: Uber’s Ex-Security Chief Covered Up Hack and Deserves Criminal Punishment
