Ransomware continues to represent one of the most disruptive cyber threats facing organisations. While the techniques used by attackers are evolving, the operational impact remains the same: service disruption, financial loss and reputational damage.
If we look to the wider picture, threat intelligence is also indicating to us that ransomware activity is continuing to increase globally.
Research tracking extortion groups identified more than 7,400 organisations named on ransomware leak sites in 2025, the highest level recorded to date. (SecurityBrief)
At the same time, the tactics used by attackers are changing in ways that organisations should understand.
The shift towards data-only extortion
One of the most notable changes in ransomware campaigns is the increasing use of data-only extortion.
Instead of encrypting systems, attackers steal sensitive data and threaten to publish it if a payment is not made. This approach has grown significantly in the past year, with some reporting suggesting an elevenfold increase in data extortion cases.
For attackers, this approach has several advantages. It reduces the risk of detection during encryption activity and can still create substantial pressure on victims who wish to avoid reputational damage or regulatory scrutiny.
For organisations, it highlights the importance of monitoring for unauthorised data access and exfiltration, not just ransomware deployment.
Smaller and faster ransomware operations
Another notable trend is the fragmentation of ransomware groups. Large, well-known brands are increasingly being replaced by smaller, decentralised operators that work through ransomware-as-a-service platforms.
These sorts of models allow far less experienced criminals to access attack infrastructure and extortion platforms. As a result, the overall number of attacks can continue to grow even when individual groups are disrupted by law enforcement.
Targeting sectors where disruption increases leverage
Threat actors consistently target industries where operational disruption creates pressure to restore services quickly.
Research shows that ransomware campaigns increasingly focus on sectors such as IT services, manufacturing and supply chains, where outages can halt operations and increase the likelihood of payment.
These industries often have complex technology environments, making them attractive targets for attackers seeking maximum impact.
What this means for organisations
The changing ransomware landscape reinforces several important security priorities.
Organisations should ensure that vulnerability management processes allow rapid remediation of critical flaws, getting those quick-wins from an operational and security-standpoint is crucial as they emerge. And from what we can see, many ransomware campaigns still begin with the exploitation of known vulnerabilities.
Identity security also remains essential. Compromised credentials are frequently used to gain initial access before deploying ransomware or stealing data. Alongside, this make sure you’re implementing that Principle of Least Privilege. Regularly review those permissions and ensure that users do not have anything more than what is explicitly required at the time of their role and then revoke it once it’s no longer needed.
Finally, incident response capability continues to play a critical role. Even the most secure environments can still experience security incidents, and the speed of response often determines the scale of impact.
Strengthening ransomware resilience
Organisations that respond effectively to ransomware incidents tend to have several capabilities in place. These include clear visibility into network activity, tested backup and recovery processes, and rehearsed incident response procedures.
Having these capabilities ready before an incident occurs can significantly reduce the operational disruption caused by ransomware attacks.
Responding to ransomware incidents requires rapid investigation, containment and recovery. Many organisations are now choosing to establish an incident response retainer so that specialist responders are immediately available when a security incident occurs.
Here at Prism Infosec we provide incident response retainers that combine rapid response support with proactive readiness activities, including response planning and incident exercises.
To learn more about how an incident response retainer can strengthen your organisation’s resilience, visit: Incident response – Prism Infosec
