Google Warns Ransomware Actors Are Shifting Tactics as Profits Fall and Data Theft Rises
The ransomware threat landscape underwent a significant transformation in 2025, as criminal enterprises experienced a sharp decline in profits. Once a lucrative business model, ransomware operations are facing financial pressure due to falling ransom payment rates, reduced average demands, and improved victim recovery capabilities. In response, threat actors are adapting their strategies, focusing more on data theft for extortion and targeting smaller organizations with less robust security defenses.
According to reporting by CoveWare, ransom payment rates hit a historic low in the fourth quarter of 2025. Sophos reported a one-third drop in average ransom demands, which decreased from $2 million in 2024 to $1.34 million in 2025. Concurrently, organizations’ ability to restore from backups improved significantly. Nearly half of ransomware victims could fully recover from backups in 2024, a stark contrast to just 11% in 2022, weakening the leverage ransomware operators traditionally relied upon.
These evolving patterns were identified by Google Cloud analysts from the Google Threat Intelligence Group (GTIG), including Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, and Genevieve Stark. Their analysis, based on Mandiant incident response investigations across Asia Pacific, Europe, North America, and South America throughout 2025, highlighted a shift in ransomware family prevalence. REDBIKE emerged as the most prevalent ransomware family, accounting for nearly 30% of observed incidents, surpassing previous peaks set by LOCKBIT and ALPHV.
The ransomware-as-a-service (RaaS) ecosystem also experienced considerable disruption in 2025. Law enforcement actions and internal conflicts led to the weakening or dismantling of prominent operations such as LockBit, ALPHV, Basta, and RansomHub. However, Qilin and Akira emerged to fill the void, contributing to a nearly 50% increase in victim posts on data leak sites compared to 2024 figures. Threat actors have also increasingly targeted smaller organizations, shifting away from larger enterprises with mature security defenses.
.webp.jpeg)
GTIG warns that the decline in direct ransom profits may drive some threat actors toward alternative income streams. This can include leveraging compromised infrastructure for phishing campaigns or monetizing access to victim environments through secondary means. In light of these shifts, organizations are advised to implement the practical steps outlined in the Ransomware Protection and Containment Strategies white paper, focusing on endpoint hardening, containment measures, and recovery preparedness.
The Rise of Data Theft as an Extortion Method
A significant trend observed in 2025 incident investigations was the substantial increase in data exfiltration as a primary extortion tactic. GTIG data indicates that confirmed or suspected data theft occurred in approximately 77% of ransomware intrusions, a notable jump from 57% the previous year. Attackers are now frequently stealing sensitive files before encrypting systems, threatening to publish the exfiltrated data on leak sites even if victims can restore their systems from backups.
To facilitate data exfiltration, threat actors employed a combination of familiar and readily available tools. Rclone was utilized in approximately 28% of data theft incidents to transfer files to attacker-controlled infrastructure. Both Rclone and WinRAR were observed in roughly 23% of all 2025 incidents, representing an increase from 2024. Other commonly used tools for exfiltration included FileZilla, WinSCP, and cloud platforms such as MEGA, OneDrive, and Azure. Attackers specifically targeted legal documents, HR records, accounting data, and business development files, aiming to maximize their leverage during negotiations.
.webp.jpeg)
Organizations should bolster their defenses by implementing robust data loss prevention (DLP) controls. Continuous monitoring of outbound traffic for unusual or large file transfers is crucial, as is restricting the use of unapproved tools like Rclone and AzCopy. Maintaining detailed logs of cloud storage access and ensuring visibility into endpoint activity can provide early warnings of exfiltration attempts, potentially preventing sensitive data from reaching attacker-controlled infrastructure.