Ransomware is Evolving: Attackers Are No Longer Just Encrypting Data, But Extorting Companies

The 2025 Annual Cyber Threat Report from ReliaQuest has revealed an alarming shift in the strategies of cybercriminals: ransomware has moved away from focusing on data encryption and is now prioritizing exfiltration and extortion. In 80% of the analyzed attacks, criminals chose to steal information instead of encrypting it, using the stolen data as leverage to demand multimillion-dollar payments.

This evolution of ransomware presents an unprecedented challenge for businesses, as paying the ransom no longer guarantees the recovery of information or the security of the stolen data. In many cases, even after payment, cybercriminals sell or publish the data on the dark web, further compromising the reputation and security of organizations.

Faster and More Automated Attacks

The report highlights how ransomware groups have refined their techniques, drastically reducing the time needed to execute a complete attack. Some of the most shocking statistics include:

• Average time to move laterally within the network: 48 minutes.
• Time to exfiltrate sensitive data: 4 hours.
• Time to deploy encryption if used: 6 hours.
• Fastest detected attacks: completed in 27 minutes from intrusion to execution.

Furthermore, cybercriminals have incorporated artificial intelligence (AI) and automation to accelerate their operations and evade enterprise defenses. This has led to traditional security methods no longer being sufficient to mitigate these threats.

How Do Attackers Access Systems?

The study conducted by ReliaQuest identifies the main attack vectors used by ransomware groups in 2024:

1. Forgotten or poorly protected service accounts: 85% of attacks leveraged old credentials with elevated permissions.
2. Lack of network monitoring: In most incidents, the affected companies lacked adequate activity logs, making early detection of the attack difficult.
3. Use of legitimate tools to move undetected: 66% of attacks employed VPNs without multi-factor authentication (MFA), remote access software, and compromised credentials, allowing them to operate within systems without raising suspicion.

Attackers continue to rely on tried-and-true methods such as phishing and business email compromise (BEC), now with more sophisticated tactics, including identity spoofing within Microsoft Teams and evasion of authentication mechanisms.

Key Strategies to Prevent Ransomware Attacks

In light of this landscape, businesses must adopt a proactive and automated approach to cybersecurity. ReliaQuest recommends implementing the following measures:

1. Incorporate AI and automation into security:
   • Advanced threats require real-time detection and response.
   • AI enables the analysis of behavior patterns and neutralizes attacks before they spread.
2. Strengthen access controls:
   • Implement multi-factor authentication (MFA) across all critical services.
   • Apply client-based certificates to protect remote access.
   • Audit and remove inactive service accounts with elevated permissions.
3. Update systems with immediate security patches:
   • Attackers exploit vulnerabilities in record time; keeping systems updated dramatically reduces risk.
4. Enhance phishing protection:
   • Apply advanced filters for detecting fraudulent emails.
   • Train employees on identifying phishing attempts and social engineering attacks.
5. Eliminate blind spots in the network:
   • Implement security solutions on all devices and servers.
   • Enable detailed activity logging to detect anomalies in real time.
   • Establish log retention policies that allow for quick incident response.

Paying Ransom is No Longer a Viable Solution

The new approach to ransomware has made it clear that paying attackers does not protect companies from the consequences of a breach. Exfiltrated data can be used for future extortion, sold to other cybercriminals, or published on the dark web, causing irreversible damage to reputation and customer trust.

Beyond technical protection, companies must strengthen their incident response strategy and act transparently in the event of breaches, communicating with authorities and taking steps to mitigate legal and financial impacts.

The evolution of ransomware has changed the rules of the game. Now, the best defense is not to react but to anticipate with robust, automated, and AI-based security.