For years, ransomware meant one thing: attackers would break into your systems, encrypt your data, and demand a ransom for the decryption key. But Allan pointed out that encryption is becoming far less common in ransomware tactics. About 30% of attacks now involve pure data theft with no encryption at all. Why? Because stealing data is easier, and it works just as well for extortion.

Instead of bothering with encryption, attackers find weaknesses in file transfer systems and cloud services, steal sensitive data, and then threaten to leak it unless the victim pays up. The old-school definition of ransomware that relied on encryption doesn’t fully apply anymore. We in the industry are coming to terms with this shifting definition. But cybercriminals don’t care about definitions; they care about whatever helps them achieve their goals.

Who’s being targeted, and why

Darrin shared some surprising stats on ransomware victims. When analyzing businesses based on revenue, the attack rates were fairly even across all sizes. This means that money alone isn’t the main factor. Instead it seems to be about vulnerabilities.

Small businesses often lack dedicated security teams, making them easy targets. In fact over the last two months of 2025, the number of attacks on medium and large businesses combined was about the same as those on small businesses alone. The common factor seems to be a lack of cybersecurity investment.

Privately owned businesses seem to be the brunt of this statistic, making up over 80% of ransomware victims. I suspect this could simply be because there are far more private companies than public ones. Without access to the datasets Verizon used for their analysis, it’s hard to say for certain why this trend holds. What is clear though is that attackers aren’t necessarily going after high-profile targets, instead opting for the ones least likely to have strong defenses.

“Name and shame” tactics

Erika explained another major shift: ransomware groups are now leveraging public exposure as a weapon. Even when big corporations have solid backups and can recover from encryption attacks, hackers still hold power by threatening to leak sensitive data to the public.

Some groups post a small sample of stolen data as “proof” and demand payment from victims to prevent further leaks. In some cases even if the sensitive data is years out of date, the mere threat of exposure can be enough to make companies pay up.

There are many vulnerabilities that lead to ransomware. Misconfigurations, insider threats, leaked credentials. One of the more successful tactics for ransomware groups is phishing. We are seeing a rise in the use of AI to make phishing more convincing, improving the appearance of phishing mails, removing language mistakes that used to be red flags. Identifying phishing attempts is only going to get harder from now on.

Evolution of ransomware negotiations

During the talk, I had the chance to ask the panel a question: Has the shift from encryption-based ransomware to pure data extortion changed the way negotiations play out between attackers and victims?

Darrin tackled this question first, using the Clop (sometimes written Cl0p) ransomware group as an example. Clop specializes in targeting file transfer protocols, exploiting zero-day vulnerabilities to quietly siphon off massive amounts of data before the victim even knows what’s happening. You might not even realize you’ve been hit until the ransom note appears or until you notice unusual outbound traffic in your firewall logs. And by then the damage is done.

These groups often buy zero-day exploits from bug bounty researchers or initial access brokers, meaning that by the time the vulnerabilities are made public attackers have already had months to operate in the shadows.

Allan added another unsettling layer to this answer: sometimes the stolen data doesn’t even come from your own system. Attackers may have obtained it through a third-party vendor or a partner organization that the victim is associated with, such as a cloud service, effectively bypassing all other security measures put into place. This makes the attack even harder to track. When negotiating with ransomware groups, the first step is always verifying the data is legitimate. After that, cyber insurance providers often step in. Many have professional negotiators on staff who specialize in dealing with these situations. They know which groups are serious, when they’re bluffing, and how to navigate high-stakes cyber extortions.

Unfortunately, too many organizations are insistent on trying to handle negotiations themselves, which rarely ends well for the victims. As Allan pointed out, data governance has gone from being a side concern for security teams to a core pillar of cybersecurity strategy.

Companies need a clear picture of their data: who has access to it, where it’s stored, and how it moves between systems. Without this visibility they’re easy pickings for groups like these.

The “why” behind the attacks

When it comes to targeting, Dan pointed out that it’s mainly about money. Schools, small businesses, even municipal services… if they have valuable data and weak defenses, they’re fair game. Hackers aren’t necessarily breaking into systems these days; they’re logging in… and mostly with credentials bought off the dark web. Once inside, they steal whatever they can and move on.

But it’s not just about profit. Some hackers do it for bragging rights, as a form of marketing or to show off their skills. Others are just incompetent or plain stupid. Allan highlighted a case where hackers targeted a school district in Palm Beach, Florida with a supposed $5 billion budget, assuming that meant they had $5 billion to pay a ransom. Spoiler: they didn’t. Some of these attackers are just throwing darts and hoping to get lucky.

Violence as a Service

As if digital extortion wasn’t bad enough, some ransomware groups are taking it a step further by offering real-world intimidation.

Darrin described cases where hackers would pay local criminals to vandalize businesses that refuse to pay ransoms. For as little as a couple hundred dollars they’ll arrange for someone to throw bricks through windows. In one case a hacker even tried to sell pictures of a CEO’s house in exchange for $500 worth of an unspecified cryptocurrency. Cybercrime is getting more bold and this new trend shows it’s only going to get worse.