Cybercrime Shifts to Data Theft Over Encryption
New cyber insurance claims data from Resilience reveals a shift in ransomware tactics. In the second half of 2025, more than two-thirds of attacks leveraged data theft for extortion rather than encrypting systems. This change indicates that cybercriminals are prioritizing long-term leverage and data monetization over causing immediate operational disruption.
- This evolution in cybercrime strategy is a direct response to more robust corporate backup and recovery solutions, which render data encryption for ransom less effective. Attackers now recognize that the threat of releasing sensitive information provides them with longer-term leverage. - The financial consequences of data theft extend far beyond any ransom paid, with the average cost of a data breach in the United States reaching $10 million in 2025. These costs are compounded by regulatory fines, legal fees, and significant reputational damage that can impact a company's stock value and customer trust. - Cybercriminal groups are exhibiting increased sophistication by timing attacks to coincide with periods of reduced cybersecurity staffing, such as year-end holidays, and by exploiting zero-day vulnerabilities in widely used enterprise software. - The tactic of "double extortion," where data is both stolen and encrypted, is being supplemented by "triple extortion." In this scenario, attackers also threaten to launch distributed denial-of-service (DDoS) attacks or directly contact a company's clients and partners to pressure the victim into paying. - Data-only extortion attacks saw a significant rise, increasing elevenfold from November 2024 to November 2025. This has led to the emergence of new threat groups that have completely abandoned encryption in favor of pure data theft and extortion. - Attackers are now weaponizing a company's own data against them by stealing cyber insurance policies to precisely calibrate ransom demands below the coverage limits, thereby increasing the likelihood of a payout. - The underground market for stolen data is a major driver of this trend, with personal and corporate information being sold for use in various fraudulent activities, including identity theft and targeted phishing campaigns. Healthcare records have become particularly valuable, estimated to be worth ten times more than credit card numbers on the dark web. - In light of these developments, cybersecurity experts are urging businesses to shift from a reactive, recovery-based posture to a proactive strategy centered on data loss prevention, zero-trust network architecture, and comprehensive employee training to recognize and report threats early.
