Google has warned that ransomware gangs are reinventing their business models as traditional encryption-based attacks become less profitable and data-theft extortion surges. According to new analysis, better cybersecurity controls, improved backup strategies, and stronger recovery capabilities mean more victims can restore their systems without paying, directly eroding criminal revenue. However, threat actors are not retreating; they are adapting their methods to make operations harder to disrupt.[1]
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become a pervasive threat across almost every industry and region.
By 2025, this landscape entered a new phase. Once a highly reliable criminal business model built on encrypting victim files and collecting ransom payments, the sector is now under significant financial pressure. Ransom payment rates have hit historic lows, and average demands have dropped sharply. The financial downturn for cyber criminals is evident in recent data. In the fourth quarter of 2025, ransom payment rates reached a historic low, according to reports by CoveWare.
Sophos reported that average ransom demands dropped by one-third, falling from $2 million in 2024 to $1.34 million in 2025. Nearly half of ransomware victims recovered from backups in 2024, up from 11% in 2022. This growing ability to recover has directly weakened the leverage ransomware operators depend on to collect payment.
Google Cloud analysts from the Google Threat Intelligence Group (GTIG) identified these evolving patterns through Mandiant incident response investigations conducted across organizations in Asia Pacific, Europe, North America, and South America throughout 2025. Google experts noted that REDBIKE (aka AKIRA) has emerged as the single most prevalent ransomware family, accounting for nearly 30% of all observed incidents - a new high that surpassed previous peaks set by both LOCKBIT and ALPHV, which each reached 17% in 2023.
The ransomware ecosystem underwent major disruption during 2025. Prominent Ransomware-as-a-Service (RaaS) operations, including LockBit, ALPHV, Basta, and RansomHub, were significantly weakened or dismantled through law enforcement pressure and internal conflict. However, groups such as Qilin and Akira stepped in to fill the void, and the total number of victim posts on data-leak sites surpassed the 2024 figure by nearly 50%.
Threat actors have begun targeting smaller organizations more heavily, shifting away from large enterprises with mature defenses toward businesses with less robust security programs. Attackers now frequently steal sensitive files before deploying encryption, threatening to post the stolen data publicly on leak sites even if victims manage to restore their systems from backup.
Organizations are advised to follow guidance from the Ransomware Protection and Containment Strategies white paper, which outlines practical steps for endpoint hardening, containment, and recovery preparedness. Key recommendations include implementing strong data loss prevention (DLP) controls, monitoring outbound traffic for unusual or large file transfers, and restricting the use of unapproved tools like Rclone and AzCopy. Maintaining detailed logs of cloud storage access and visibility into endpoint activity can provide early warning of exfiltration attempts.
Google warns that while classic “encrypt and restore” ransomware remains a dominant operational threat, the economic pivot toward large-scale data theft and multi-layered extortion is likely to intensify in 2026, especially against smaller organizations lacking robust backup and incident response capabilities.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/ransomware-gangs-shift-to-extortion-9221.html
Comments