Hackers Pivot to Ransomware Encryption Model as Data Theft Has Become Less Profitable
Every organization has ransomware worries. After all, experts predict an attack will occur every two seconds by 2031, underscoring how pervasive the threat has become. While ransomware attacks have historically been highly profitable, hackers are changing their tactics. Merely exfiltrating data for ransom has become less effective, prompting a shift toward ransomware encryption models.
A series of high-profile attacks has left cyber criminals with little return on investment. Since profit drives ransomware, these groups are rethinking their strategies to gain additional leverage over victims.
The State of Ransomware Profitability
Seizing data was once highly profitable for hackers. In 2021, Cl0p, a ransomware group, made tens of millions of dollars with the Accellion campaign. Approximately 25% of victims paid ransoms.
At the time, data theft without encryption was an effective and lower-effort strategy. However, their next attempts were less successful. Following the MOVEit breach, a report found that less than 2.5% of affected organizations paid.
The Shiny Hunters group also failed to extort money from their Snowflake and Salesforce attacks.
So, what changed?
Enterprise Breach Resilience Matures
The big change was with organizations themselves, not the attacks. Companies have strengthened their enterprise breach resilience dramatically. They’ve evolved by becoming more proactive and preemptive.
By refining their strategy and adopting modern data protection solutions, organizations have reduced the payoff for attackers. Greater resiliency is bad business for hackers, so they’re evolving their approach in response.
Ransomware Encryption Schemes Lift Payments
The report referenced above noted that average ransomware payments did increase, but were isolated events tied specifically to decryption-motivated settlements.
In these cases, hackers exfiltrated the data and encrypted it. When security controls don’t stay with the data, companies may have little choice but to pay. Without access to the data, the alternative is prolonged business interruption, making ransom payment a faster path to recovery.
Cyber criminals seek the best return. They operate like businesses themselves, looking to reduce effort, cut costs, and pad margins.
The Best Way to Protect Against Ransomware
If you want to avoid becoming a victim of ransomware encryption or data exfiltration, implement data-centric security. It secures at the source, moving with data as it flows through the enterprise or when you share it.
Other tips include:
- Know where all sensitive data lives: You need an automated data discovery solution that provides complete visibility across environments.
- Use policy-driven protection: You can define controls centrally for PII, PCI, and PHI without relying on users. From there, apply remediation automatically and uniformly to encrypt, mask, redact, delete, or quarantine data.
- Ensure secure data exchange: Business necessitates using and sharing sensitive data. Some approaches impact workflows and productivity. However, you can do this compliantly with a system that doesn’t use certificates for encryption and ensures seamless access for authorized users. Redacting or masking also preserves data utility.
Want to review more data security and cybersecurity trends? Watch our on-demand webinar, “2026 Outlook: Trends, Regulatory Change, and What’s Ahead for Data Security.”
Every organization has ransomware worries. After all, experts predict an attack will occur every two seconds by 2031, underscoring how pervasive the threat has become. While ransomware attacks have historically been highly profitable, hackers are changing their tactics. Merely exfiltrating data for ransom has become less effective, prompting a shift toward ransomware encryption models.
A series of high-profile attacks has left cyber criminals with little return on investment. Since profit drives ransomware, these groups are rethinking their strategies to gain additional leverage over victims.
The State of Ransomware Profitability
Seizing data was once highly profitable for hackers. In 2021, Cl0p, a ransomware group, made tens of millions of dollars with the Accellion campaign. Approximately 25% of victims paid ransoms.
At the time, data theft without encryption was an effective and lower-effort strategy. However, their next attempts were less successful. Following the MOVEit breach, a report found that less than 2.5% of affected organizations paid.
The Shiny Hunters group also failed to extort money from their Snowflake and Salesforce attacks.
So, what changed?
Enterprise Breach Resilience Matures
The big change was with organizations themselves, not the attacks. Companies have strengthened their enterprise breach resilience dramatically. They’ve evolved by becoming more proactive and preemptive.
By refining their strategy and adopting modern data protection solutions, organizations have reduced the payoff for attackers. Greater resiliency is bad business for hackers, so they’re evolving their approach in response.
Ransomware Encryption Schemes Lift Payments
The report referenced above noted that average ransomware payments did increase, but were isolated events tied specifically to decryption-motivated settlements.
In these cases, hackers exfiltrated the data and encrypted it. When security controls don’t stay with the data, companies may have little choice but to pay. Without access to the data, the alternative is prolonged business interruption, making ransom payment a faster path to recovery.
Cyber criminals seek the best return. They operate like businesses themselves, looking to reduce effort, cut costs, and pad margins.
The Best Way to Protect Against Ransomware
If you want to avoid becoming a victim of ransomware encryption or data exfiltration, implement data-centric security. It secures at the source, moving with data as it flows through the enterprise or when you share it.
Other tips include:
- Know where all sensitive data lives: You need an automated data discovery solution that provides complete visibility across environments.
- Use policy-driven protection: You can define controls centrally for PII, PCI, and PHI without relying on users. From there, apply remediation automatically and uniformly to encrypt, mask, redact, delete, or quarantine data.
- Ensure secure data exchange: Business necessitates using and sharing sensitive data. Some approaches impact workflows and productivity. However, you can do this compliantly with a system that doesn’t use certificates for encryption and ensures seamless access for authorized users. Redacting or masking also preserves data utility.
Want to review more data security and cybersecurity trends? Watch our on-demand webinar, “2026 Outlook: Trends, Regulatory Change, and What’s Ahead for Data Security.”
