Ransomware is shifting to data extortion — big attacks and a global takedown

Google Threat Intelligence Group’s analysis found suspected data theft in 77% of ransomware intrusions in 2025, up from 57% in 2024, highlighting a measurable shift toward pure data extortion rather than just encryption. (cloud.google.com) GTIG’s dataset also shows about 43% of intrusions in 2025 targeted virtualization infrastructure (up from 29% in 2024), and roughly one-third of incidents used confirmed or suspected exploitation of vulnerabilities in VPNs and firewalls as initial access vectors. (cloud.google.com) Ransomware group CoinbaseCartel publicly claimed breaches of Neochromosome on March 15, 2026, with the group posting an extortion notice for Neochromosome and a separate leak claim for Illumina the same day. (dexpose.io) Dark‑web leak pages and automated trackers show CoinbaseCartel’s Illumina post categorized as “data uploaded,” while security scrapers and trackers indexed the Neochromosome entry as a March 15, 2026 posting. (redpacketsecurity.com) Ransomware group Everest claimed a March 15, 2026 breach of Evaluate, a Norstella company, on its leak site, and Qilin claimed a simultaneous March 15, 2026 extortion posting against Polish retailer Salag. (dexpose.io) INTERPOL’s Operation Synergia III, conducted from 18 July 2025 to 31 January 2026 across 72 countries, dismantled over 45,000 malicious IP addresses and servers and resulted in 94 arrests with another 110 individuals under investigation. (interpol.int) GTIG and Mandiant‑sourced analysis notes that long‑standing RaaS families such as Qilin and Akira expanded in 2025, contributing to a record high number of victims posted to data‑leak sites that year. (cloud.google.com)