According to recent findings by BlackFog, ransomware attacks involving data exfiltration accounted for 94% of all ransomware incidents in 2024.1

Change from Encryption to Extortion

The older ransomware programs were mostly dependent on encryption and disruption. But organizations enhanced their backup and recovery methods for such an eventuality. This led to a change in strategy by criminals.

Now, the first step taken is to obtain secret data before carrying out any attack. In case a payment is not made, there is a threat of leaking data into the public domain.

For enterprise organizations, this transforms the entire discussion.

Even if data can be restored from backup sources, any leaked IP, financial information, customer databases, or documents are not going to be easily recoverable or “undone.”

Why Is Data Theft More Lucrative for Cybercriminals?

The criminals recognize that once the data is compromised, it will put continued pressure on the enterprise.

While an organization may survive downtime of several days, a data leak will result in:

• Regulatory investigation
• Legal penalties
• Loss of investor confidence
• Brand reputation damage
• Customer churn
• Competitive intelligence exposure

Research highlighted by IBM Think shows that ransomware attacks increasingly include data theft because it significantly increases the probability of payment. Attackers know organizations fear public disclosure more than temporary system outages. 3

The economics are working in the criminals’ favor.

BlackFog’s ransomware analysis revealed that the average undisclosed exfiltration attack involved 592 GB of stolen data. 4

That amount of stolen information can include:

• Customer identities
• Employee HR records
• Source code
• Financial statements
• Product roadmaps
• Healthcare records
• Vendor agreements

In many industries, exposure of this information creates liabilities far exceeding the ransom itself.

Ransomware Has Become an Organized Industry

The emergence of Ransomware-as-a-Service (RaaS) has led to an industrialization of cybercrime.

As stated by Ampcus Cyber, ransomware creators have started renting their attack infrastructure to affiliates based on revenue-sharing agreements. 

Such a model enables even unskilled hackers to launch complex attacks through prepackaged malware, payment systems, and negotiation tools. 5 

Modern ransomware groups operate similarly to startups:

• Developers create ransomware platforms
• Affiliates conduct attacks
• Negotiators handle ransom discussions
• Leak-site operators publish stolen data
• Cryptocurrency laundering networks process payments

This ecosystem has accelerated attack volume globally.

According to BlackFog’s 2024 report, there were 65% more variants of ransomware compared to the previous year, with 48 new ransomware gangs forming in 2024 alone. 6

Gangs such as LockBit and RansomHub have flourished through the use of. LockBit alone reportedly impacted 603 victims during 2024. 7

Enterprise Leaders Face a Different Kind of Risk

The biggest misconception among executives is that ransomware remains only an IT issue.

It is now a boardroom-level business risk.

The consequences extend far beyond operational disruption. A single data extortion incident can create:

• Compliance violations
• SEC disclosure obligations
• Contractual breaches
• Litigation exposure
• Shareholder concerns
• Long-term reputational damage

Reputational loss that endures

As reported by IBM, the average cost of a data breach was $4.88 million worldwide, considering the escalating expenses related to restoring and investigating stolen data.8

The financial consequences become even more serious if the confidential enterprise data gets exposed to the public.

Due to the high value of their data, healthcare, government, educational institutions, and financial sectors will continue to be targeted by cybercriminals.

BlackFog found that these industries were responsible for 47% of ransomware breaches in 2024. 1

Critical infrastructure organizations were also targeted in the report, with cyberattacks recorded against 103 energy and utility organizations within one year alone.

Why Are Backups Not Enough?

For decades, cybersecurity advice has recommended backing up data, which remains necessary but does not address the primary risk to businesses.

A company can restore encrypted systems, but it cannot “restore” leaked confidential data once criminals publish it online.

As recent industry research indicated, the current ransomware defense requires more focus on data management and visibility rather than just disaster recovery. 9

That is why new approaches to business security include:

• Data loss prevention (DLP)
• Data exfiltration monitoring
• Zero Trust architecture
• Identity protection
• Privileged access management
• Threat intelligence integration
• Network segmentation

Quick identification of breaches is also becoming critical, as hackers continue to linger in the environment for days or even weeks, collecting data before encryption takes place.

The Future of Ransomware: Pure Extortion

In addition, according to CISA, there have been cases where hackers prefer to commit data breaches and extort money without utilizing ransomware.  10

This shift is significant in the sense that it does away with one of the common signs that indicate a ransomware attack. Companies will only realize that their data has been breached when they receive an extortion request.

The cybercriminals are shifting towards methods that help them achieve more profits within less time and at lower costs.

The message for the corporations is that ransomware is not only a malware problem; it is a much larger extortion economy built on valuable data.

Conclusion

Ransomware has grown into a complex enterprise for turning data into money. The tool used to attack is no longer encryption, but data theft.

The target victims are no longer companies that lack robust backup solutions, but businesses that have low visibility into their data, scattered cloud infrastructure, high permissions, and inadequate intrusion monitoring.

Since attackers keep moving towards data extortion attacks, businesses need to redefine cybersecurity not just as an IT security approach but also as a business continuity plan.

The real issue is no longer the ability to restore services, but the ability to withstand exposure to your data.

FAQs

What is data extortion in ransomware?

Data extortion means stealing important data and threatening to leak it unless you make a ransom payment.

What does double extortion ransomware refer to?

It includes both file encryption and threatening data leaks.

Why do ransomware groups target data theft?

This way, they put more pressure on the victims, since leaking any of the customer’s confidential information would lead to devastating results.

Which industries are susceptible to ransomware attacks?

Many industries could be attacked, including healthcare, government, financial, educational, and critical infrastructures.

Will creating a backup ensure ransomware safety?

While backing up your files would allow you to restore them, it would not prevent criminals from leaking the stolen information.

What is ransomware-as-a-service (RaaS)?

RaaS refers to criminal services, which involve selling ransomware to people who would then use it to launch ransomware attacks and split the profit.

Referred Links

1. BlackFog – 2024 State of Ransomware Report (94% of attacks involved data exfiltration)
2. IBM Think – What Is Ransomware?
3. IBM Think – Why Data Theft Increases Ransomware Payment Pressure
4. BlackFog – Average Exfiltration Data Statistics
5. Ampcus Cyber – Ransomware-as-a-Service Business Model
6. BlackFog – Growth of Ransomware Variants and New Gangs in 2024
7. BlackFog – LockBit Victim Statistics 2024
8. IBM – Cost of a Data Breach Report 2024
9. IBM Think – Modern Ransomware Defense and Data Visibility
10. CISA – Data Theft and Extortion Without Encryption Trends