Ransomware shifts to data leaks
Ransomware actors are increasingly favoring pure data extortion — threatening to publish stolen data even if systems are restored — a change researchers reported is complicating incident response. At the same time, an INTERPOL‑led operation disrupted networks in 72 countries, underscoring logistics' exposure to global cybercrime targeting shipment tracking and operator systems reported.
77% of intrusions in 2025 included suspected data theft, up from 57% in 2024 reported). Qilin and Akira RaaS brands expanded after RansomHub's exit, driving a record high of victims posted to data‑leak sites in 2025 reported). Attackers targeted virtualization infrastructure in about 43% of intrusions and used VPN/firewall exploits for initial access in roughly one‑third of incidents, complicating forensic imaging and recovery timelines documented). Operation Synergia III sinkholed more than 45,000 malicious IP addresses, seized 212 devices and led to 94 arrests across 72 countries between July 18, 2025 and January 31, 2026 announced). Private partners including Group‑IB and Trend Micro supplied intelligence and takedown support during Synergia III, enabling cross‑border correlation of malicious infrastructure noted). Cyble recorded 283 ransomware attacks against transport and logistics firms in 2025 — a total larger than the combined incidents from 2023 and 2024 — highlighting why shipment‑tracking and operator systems are high‑value targets for data extortion reported). Past infrastructure takedowns have been followed by rapid affiliate migration to new RaaS brands (as seen after RansomHub's collapse), indicating that Synergia III's disruptions will reduce capacity temporarily but not eliminate data‑leak extortion risk analyzed).
