Ransomware attacks are showing signs of evolution, with financially motivated threat actors increasingly focusing on data theft and extortion rather than solely encrypting systems. This shift may cloud understanding of the true scope of ransomware incidents, according to a new report from Google Threat Intelligence Group.
While traditional ransomware, which involves encrypting victim systems, remains a significant threat, attackers are leaning more heavily into data theft as a primary extortion method. Genevieve Stark, head of cybercrime intelligence at Google Threat Intelligence Group, told CyberScoop that English-speaking underground actors are largely prioritizing data-theft extortion. This trend includes prominent groups like Scattered Spider, ShinyHunters, and Clop, known for some of the most impactful cyberattacks in recent years.
The Evolving Landscape of Ransomware and Data Extortion
The Google Threat Intelligence Group’s research highlights how the dynamic nature of cybercrime can obscure the precise definition and prevalence of ransomware. While data theft often accompanies traditional ransomware attacks to apply additional pressure, it is not technically considered ransomware unless encryption is involved.
Mandiant researchers observed a decline in traditional ransomware deployments alongside a rise in data-theft extortion tactics. They also noted that some ransomware-as-a-service (RaaS) programs are now offering data-theft-extortion-only options, potentially reflecting customer demand. This indicates a strategic shift among attackers, seeking to maximize profit with methods that may require less technical sophistication for the initial entry.
Challenges in Measuring Impact
Accurately quantifying the scale of ransomware incidents presents significant challenges for the cybersecurity industry. Insight is often limited to the data gathered by individual incident response firms, and information is typically shared on a case-by-case basis rather than through centralized reporting.
Stark noted that the industry relies heavily on metrics like the volume of posts on data-leak sites, which can be unreliable. Threat actors may inflate their claims or recycle old breaches. However, these sites can still offer valuable insights into trends, such as shifts in targeting or increased alleged attacks on specific sectors or regions.
Google reported a significant increase in data-leak site activity, with the number of posts jumping 48% to 7,784 in 2025. The number of unique data-leak sites also increased by nearly 35% to 128.
Key Tactics and Vulnerabilities Exploited
Google’s report also details the tactics observed during ransomware incident responses throughout 2025. Exploited vulnerabilities were the most common initial access vector, accounting for one-third of all incidents. This was followed by various forms of web compromise and stolen credentials.
Attackers frequently targeted vulnerabilities in widely used virtual private networks (VPNs) and firewalls from vendors including Fortinet, SonicWall, Palo Alto Networks, and Citrix. The report specifically identified 13 vulnerabilities, many of which have been known for years, as being among the most exploited for ransomware attacks last year. This suggests that organizations are not always timely in patching known security flaws.
Stolen credentials were the second most common initial access point, used in 21% of intrusions. Attackers often leveraged these credentials to access victim networks via VPN or Remote Desktop Protocol (RDP) connections.
Shifts in Attack Vector and Infrastructure Targeting
Interestingly, Google observed a year-over-year decline in the successful deployment of ransomware, dropping from 54% in 2024 to 36% in 2025. This could indicate that defenses are improving, or that attackers are facing increased resistance once inside a network.
A notable development in 2025 was the increased targeting of virtualization infrastructure, such as VMware ESXi hypervisors. These environments were targeted in 43% of ransomware intrusions, a significant increase from 29% in the previous year. Attackers favor these targets because compromising a hypervisor can allow them to affect a large number of systems with minimal effort.
The report identified several prominent ransomware families and active brands in 2025, including Agenda, Redbike, Clop, Playcrypt, Safepay, Inc, RansomHub, Fireflame, Qilin, Akira, Play, Lynx, DragonForce, and Sinobi.
Moving forward, the cybersecurity industry will likely continue to see these evolving tactics. The focus will remain on understanding the true impact of data extortion and the recurring exploitation of known vulnerabilities, alongside the growing threat to virtualized environments. Uncertainty remains regarding the precise volume of data-theft-only extortion incidents, as firms continue to refine their methods for tracking various forms of cybercrime.