After years of success, it looks as if the era where ransomware gangs could make easy money from data leak extortion might finally have ended.
Despite its huge success, extortion-led ransomware is a surprisingly recent tactic, first becoming popular with criminals from around 2020 onwards.
Its rise was driven by two trends, the first of which was the fact that traditional extortion based on encrypting files was becoming less effective as organizations started competently backing up their servers.
Second, attackers realized they’d been overthinking their tactics. Stealing and leaking data was far a far more effective way to extort victims at a time when this might lead to loss of reputation and unhappy regulators. No need for time-consuming encryption routines – data could just be exfiltrated, a much quicker, simpler process.
Today, ransomware groups leaking victim data on dark web or clear websites is almost a spectator sport, with new victims added to the list almost every day. Despite this, a recent analysis from incident response company Coveware suggests that, behind the headlines, ransomware groups are struggling to make it pay.
Surprisingly, the turning point can be traced to one of ransomware’s biggest ever attacks, the mid-2023 Clop ransomware group hack affecting 2,700 customers of file transfer platform MOVEit in mid-2023.
Three years earlier, Clop breached Accellion (now Kiteworks), a major attack that Coveware estimates achieved a victim payment rate of around 25% and tens of millions of dollars in ransoms.
It was a similar story in 2023, when Clop targeted customers of Fortra’s GoAnywhere MFT platform, achieving a payment rate of 20% from 130 victims.
And yet by the time MOVEit was hit, the payment rate had plummeted to only 2.5%. The following year, Clop compromised the Cleo Managed File Transfer service, and the rate dropped to zero.
Back to encryption?
Ransomware has had its ups and downs, but that’s still a huge drop in success. What changed? One explanation is that victims got better at reconstructing lost data. It’s also possible that some of the data stolen in these attacks was less sensitive, which made companies less likely to pay up.
Or perhaps victims realized that paying a fee for stolen data is pointless when it’s already leaked. That data is never coming back and is already in the hands of unreliable people who have probably already sold it on, so why pay a fee for an empty promise?
It’s an example of how cybercriminal success can breed complacency. Extortion is a nasty business, but if the victim gets hurt anyway, the threats start to ring hollow.
Other ransomware groups are reported to have hit the same barrier in the last two years: growing and now extreme reluctance to pay. This is a huge challenge to the whole ransomware business model and one that, on the face of it, is not easily overcome.
Ransomware’s most likely response, Coveware reckons, will be to return to its pre-2020 roots and start using traditional encryption. This is backed by the evidence that the most active ransomware groups in 2026, Akira and Qilin, are groups that favor this tactic.
A more disturbing possibility is that ransomware might adopt destructive tactics, threatening to wipe or brick servers in the style of the recent nation-state attack on US medical company Stryker, which saw large numbers of files remotely wiped via the Microsoft Intune MDM platform. Ransomware might be down, but it will be some time before it stops being a major worry.