Ransomware - Google Warns of Shifting Tactics and Data Theft

What Happened

In 2025, the ransomware landscape underwent a significant transformation. Once a highly lucrative model based on encrypting files for ransom, it now faces severe financial pressures. Ransom payment rates have plummeted to historic lows, with average demands dropping sharply. Reports indicate that organizations are recovering from attacks more effectively than in previous years, diminishing the leverage ransomware operators rely on.

According to Google Cloud's Threat Intelligence Group, the fourth quarter of 2025 saw ransom payment rates reach unprecedented lows. Average ransom demands fell from $2 million in 2024 to $1.34 million in 2025. Notably, nearly half of ransomware victims managed to restore their systems from backups in 2024, a stark contrast to just 11% in 2022. This shift in recovery capabilities has forced threat actors to adapt their tactics.

Who's Being Targeted

Despite the decline in profits, ransomware actors are not retreating. Instead, they are shifting their focus towards smaller organizations that often lack robust security measures. This change in target selection makes it easier for attackers to exploit vulnerabilities. Google Cloud's analysis identified REDBIKE as the most prevalent ransomware family in 2025, accounting for nearly 30% of incidents, surpassing previous leaders like LOCKBIT and ALPHV.

The ransomware ecosystem itself faced major disruptions in 2025, with several prominent Ransomware-as-a-Service (RaaS) operations being dismantled. However, new actors like Qilin and Akira emerged, filling the gaps left by their predecessors. The total number of victim posts on data leak sites increased by nearly 50% compared to 2024, indicating a growing trend in ransomware activity.

Signs of Infection

One of the most alarming trends is the rise of data exfiltration as a primary extortion method. Google Cloud's investigations revealed that approximately 77% of ransomware incidents involved confirmed or suspected data theft, a significant increase from 57% the previous year. Attackers are now stealing sensitive data before deploying encryption, threatening to leak it publicly even if victims manage to recover their systems.

To facilitate data theft, threat actors have relied on widely available tools like Rclone, which appeared in about 28% of data theft incidents. Other tools, such as WinRAR and FileZilla, were also commonly used. Attackers targeted sensitive documents, including legal and HR records, to maximize their leverage during negotiations.

How to Protect Yourself

Organizations are urged to implement robust data loss prevention (DLP) controls and monitor outbound traffic for unusual file transfers. Limiting the use of unapproved tools and maintaining detailed logs of cloud storage access can provide early warnings of potential exfiltration attempts. Following guidance from the Ransomware Protection and Containment Strategies white paper can also help organizations strengthen their defenses against evolving ransomware tactics.

As ransomware actors adapt to a changing landscape, staying informed and proactive is crucial for organizations to mitigate risks and protect sensitive data.