Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Attacks Up 9% but Payments Are Down

Ransomware Attacks Up 9% but Payments Are Down

Ransomware’s New Playbook: More Attacks, Fewer Payoffs, and a Shift Toward Data Theft

Ransomware’s New Playbook: More Attacks, Fewer Payoffs, and a Shift Toward Data Theft

Amid an evolving cyber threat landscape, Q1 2025 has brought a paradoxical trend: while ransomware attacks have surged by 9%, the payments extracted from these incidents have significantly declined. A closer look at the data reveals a strategic pivot in cybercriminal behavior, with data theft-only ransomware incidents now accounting for 50% of attacks. Allan Liska, senior security architect at Recorded Future, explains that law enforcement efforts have successfully disrupted major ransomware groups, leaving less-skilled threat actors scrambling for a payday or shifting tactics to steal sensitive information.

The cybercrime ecosystem is in flux. Traditional ransomware operations—where adversaries encrypt critical files and demand payment for decryption—are increasingly supplanted by data theft schemes that exploit the stolen information for extortion or outright sale. With organized crime units and international law enforcement agencies intensifying their crackdown on well-known threat groups, cybercriminals are forced to retool their operations under tighter scrutiny.

Recorded Future’s comprehensive research indicates that the dramatic drop in ransom payments does not signal a decline in criminal activity. Instead, it points to a realignment of the ransomware business model. The decreased profitability of direct ransom demands has spurred a migration toward data exfiltration and subsequent monetization via the dark web. In essence, adversaries are banking on the market for stolen data rather than the traditional ransom negotiation process.

Historically, ransomware emerged as a method for cybercriminals to seize control over computer systems and extort payments swiftly from unprepared victims. Over the past decade, as organizations invested more heavily in cybersecurity, the relatively straightforward approach of locking data and demanding a fixed sum became less lucrative. Law enforcement agencies, leveraging increased international cooperation and advanced digital forensics, have been instrumental in dismantling major ransomware operations. This concerted global response has not only heightened the risks for cybercriminals but also diversified the tactics deployed by those still operating on the fringes of the dark web.

In light of these developments, cybersecurity experts are urging organizations to recalibrate their defenses. The shift toward data theft has implications that extend beyond immediate financial losses. Data breaches can expose sensitive customer information, intellectual property, and operational secrets—elements that may not be immediately recoverable even if law enforcement later disrupts the attack.

Allan Liska’s observations highlight a crucial juncture in ransomware evolution: with law enforcement delivering significant blows to established actors, the field is witnessing an influx of smaller, less sophisticated groups. Many of these actors do not employ the robust encryption and negotiation strategies associated with their predecessors but rather opt to pilfer data, banking on its resale value or leveraging it for blackmail. This transformation in tactics reflects not only the criminal community’s resilience but also its ability to pivot when faced with mounting pressure.

The current scenario raises several important questions. For instance, how will organizations adapt their incident response and data security strategies to address the growing prevalence of data theft? More critically, will law enforcement’s continued pressure eventually force the entire ransomware market into further obscurity, or could these shifts trigger unforeseen consequences in the broader cyber ecosystem?

Experts across cybersecurity and law enforcement circles agree that the new dynamics necessitate a multi-layered approach. Organizations should blend traditional network defense strategies with enhanced data governance practices. “The need to safeguard data integrity and reduce attack surfaces has never been more vital,” noted a senior official at the Federal Bureau of Investigation, emphasizing the interconnected nature of modern cyber threats. As criminal tactics evolve, so too must the mechanisms of defense.

The economic implications of these trends extend beyond the usual industry metrics. With a general decline in ransom payments, some analysts suggest that the financial calculus for adversaries is shifting. Less reliance on a single revenue stream—direct monetary extortion—encourages diversification into other illicit markets, such as identity theft and the black-market sale of corporate data. This, in turn, could spur regulatory changes and new collaborative frameworks between governments and private sector entities.


Law enforcement’s disruptive influence on dominant ransomware groups is a key factor driving this evolution, creating an environment where opportunistic, less-skilled hackers attempt to fill the void. While lower ransom payments might seem like a silver lining for organizations, the collateral damage caused by data breaches—be it reputational harm or the loss of competitive advantage—remains a significant concern.

Looking ahead, stakeholders in the cybersecurity realm are monitoring the situation closely. Predictions suggest that continued law enforcement successes may further erode the profitability of traditional ransomware models. However, as established groups are dismantled, the fertile ground may be left to new kinds of cybercriminal enterprises, ones that are willing to take greater risks or become more innovative with their methodologies. The interplay between public policy, international cooperation, and technological advancement will continue to dictate the landscape.

Organizations are advised to adopt a proactive stance, integrating real-time threat intelligence and investing in advanced detection systems capable of identifying and mitigating both ransomware and data exfiltration activities. In this context, industry groups, governmental agencies, and cybersecurity firms are collectively rethinking frameworks for responsible data stewardship and risk management to safeguard not only immediate operations but also long-term strategic interests.

The evolution of ransomware strategies—from direct payment extortion to covert data theft—illustrates the ever-adapting nature of cyber threats. As law enforcement continues to push back against well-established criminal networks, the ripple effects are reshaping an industry that once relied on a relatively simple exchange of threat for cash. The pressing question now is not merely how organizations can defend their networks, but how they can anticipate the broader shifts in cybercrime tactics in an increasingly interconnected world.

Ultimately, the story of ransomware in 2025 is a testament to the dynamic interplay between offense and defense in the digital age. With fewer payouts and more stolen data, adversaries are reinventing their strategies under the spotlight of global law enforcement. For policymakers and cybersecurity professionals alike, this evolving narrative underscores a universal truth: in the realm of cyber threats, change is the only constant, and preparing for tomorrow’s challenges demands vigilance today.