Fragmentation, Extortion & the New Ransomware Reality
The cyber extortion ecosystem is entering a new phase of instability. In 2025, sustained law enforcement pressure and internal conflicts fractured the cybercriminal landscape. Major takedowns in late 2024 disrupted several high-profile operations, triggering a cascade of affiliate breakaways, rebrands, and turf wars that splintered once-dominant groups into more than 120 competing criminal organizations. At the same time, geopolitical tensions, including the ongoing US-Iran conflict, are adding further uncertainty.
These forces are accelerating a total race to the bottom. Threat groups are now operating in a more competitive system than ever before, defined by fragmentation, lower barriers to entry, and tactics that prioritize speed, data theft, and aggression.
Competition and Evolving Threat Groups
For years, the ransomware ecosystem was dominated by a handful of well-organized operations with recognizable brands. That model began to fracture after a series of coordinated law enforcement actions disrupted several of the most prominent groups. Arrests tied to major operations like LockBit and Scattered Spider’s migration from RansomHub to DragonForce created a power vacuum that smaller groups like Qilin and Akira have moved quickly to fill, either by breaking away, rebranding, or launching entirely new operations. The result, observed by Resilience, was a sharp 53% increase in publicly disclosed victims from 2024 to 2025.
These groups are also becoming more aggressive. As organizations improve their ability to recover from ransomware tactics in cyber extortion attacks, particularly through stronger backup and resilience strategies, attackers are under increasing pressure to extract value whenever they can. Resilience’s 2025 Midyear claims data backs this up: A full 79% of companies impacted by ransomware were able to avoid paying a ransom altogether.
That pressure is showing both in execution and negotiation. Incident response teams are seeing more aggressive and psychologically sophisticated tactics during the negotiation process. In some cases, threat actors are leveraging AI tools to tailor messaging in real time and reframe the narrative. Resilience observed attackers positioning themselves as rational actors, downplaying their role, and even pointing to cyberinsurers as the “real” adversary. It’s also becoming more common for them to use stolen cyberinsurance policies to precisely calibrate demands and anchor them just below coverage thresholds to increase the likelihood of payment.
The result is a more volatile and competitive environment, where a growing number of actors are incentivized to move quickly, differentiate their approach, and secure payment before others do.
Evolving Tactics
Insurance claims data offers a clear window into how cyber extortion tactics are evolving. Two of the most common trends reshaping how these attacks unfold include the shift toward data theft as the primary leverage point and the growing role of stolen credentials in gaining access.
Historically, cyber extortion attacks relied on ransomware encryption malware to force payment. But as organizations strengthened recovery capabilities, attackers adapted by shifting their focus to data theft rather than encrypting files or systems. In fact, extortion demands to suppress stolen data comprised less than half (49%) of all extortion claims in the first half of 2025, then grew to nearly two-thirds (65%) in the second half, according to Resilience’s claims data.
The logic is simple: if organizations can restore systems without paying, the real leverage lies in the threat of public exposure. Releasing sensitive data can create reputational, regulatory, and legal consequences that are far harder to recover from than encrypted systems.
Attackers are also improving in resource development and initial access via infostealer malware. In the first half of 2025 alone, infostealers harvested roughly two billion credentials, over 70% of which were corporate and enterprise credentials, feeding a thriving underground market where access is bought, sold, and reused across campaigns.
In the majority of cyber extortion attacks, infostealer activity appeared in victim environments well before the full attack chain was executed. A single compromised identity can allow attackers to bypass perimeter defenses operating under the guise of legitimate users. Even safeguards like multi-factor authentication are increasingly being bypassed through session hijacking, token theft, and SIM swapping.
What This Means for Defenders
This more decentralized, faster-moving, and less predictable environment requires defenders to place a renewed focus on the proven basics, then add a layer of controls on top.
First, organizations need to renew focus on preventing data exfiltration. Data Loss Prevention capabilities play a critical role here. DLP will help to identify, monitor, and stop sensitive data from leaving the environment. If data is the primary source of attacker leverage, limiting access to it and its ability to be exfiltrated directly reduces the impact of an attack.
Second, organizations must adopt a zero-trust approach to identity and access. When credential theft becomes a primary entry point, trust cannot be assumed based on network location or authentication alone. zero-trust architectures help contain the blast radius of compromised identities by continuously validating users, restricting lateral movement, and enforcing least-privilege access across systems.
Third, defenders must continue to invest in early detection and response, particularly around credential exposure. Infostealer activity should be treated as an early warning indicator of potential cyber extortion activity, triggering immediate investigation and containment. In many cases, the window between initial compromise and full-scale attack is where organizations have the greatest opportunity to intervene.
Ultimately, being prepared in this chaotic environment is no longer defined by how quickly an organization can recover, but by how effectively it can limit what attackers can access, extract, and monetize in the first place.
