Key Highlights
- Data-only ransomware attacks are on the rise as hackers abandon encryption in favor of faster, higher-profit extortion.
- Remote-access tool compromises surge now accounts for nearly two-thirds of non-BEC incidents.
- Business email compromise remains persistent, accounting for 26% of total cases.
Ransomware gangs are increasingly dropping traditional encryption-based attacks in favor of data-only extortion, according to a new report from Arctic Wolf. The shift signals a strategic recalibration among threat actors seeking higher profitability and reduced operational risk.
Encryption Takes a Back Seat
Arctic Wolf found that some threat groups are abandoning file encryption altogether and focusing purely on data exfiltration and blackmail. By stealing sensitive information and threatening to leak it, attackers reduce the technical complexity of deploying encryption tools while maintaining leverage over victims.
Ransomware still accounted for 44% of Arctic Wolf’s incident-response engagements during the reporting period. The manufacturing sector experienced the highest volume of attacks, followed by law firms, schools, financial institutions, and healthcare organizations.
Affiliate Models Reshape the Cybercrime Ecosystem
Ransomware groups are also expanding affiliate-based operations to scale revenue and lower costs. Under this model, developers provide ransomware infrastructure, and affiliates execute attacks in exchange for a share of the profits.
This structure has created a competitive and interconnected ecosystem in which cybercriminals frequently move between groups, and brand identities matter less than operational efficiency.
However, law enforcement actions have weakened several high-profile gangs, including LockBit, ALPHV/BlackCat, and BlackSuit, according to the report.
Business Email Compromise Remains Persistent
Beyond ransomware, business email compromise (BEC) schemes accounted for 26% of Arctic Wolf’s caseload. Financial and legal organizations were the primary targets. Researchers observed seasonal fluctuations, with surges aligning with high-volume financial periods and holidays when oversight may be reduced.
Email phishing was responsible for 85% of BEC initial access cases. In roughly 10% of incidents, attackers reused previously compromised credentials.
Remote Access Attacks on the Rise
Outside BEC campaigns, attackers overwhelmingly targeted remote access tools, including Remote Desktop Protocol, remote monitoring software, and VPN platforms. Nearly two-thirds of non-BEC cases involved compromised remote-access systems, a sharp increase from 24% three years ago.
Meanwhile, exploitation of known vulnerabilities declined to 11% of cases, down from 29% the previous year.
Researchers noted that automation and operational maturity among threat actors are accelerating, with some achieving full domain compromise within minutes of gaining access. This underscores the growing sophistication of today’s cyber threat landscape. Interested in knowing more about ransomware attacks, cyber threats, etc. Read more news on Cyber Security.