Report: Encryptionless Extortion on the Rise as Ransomware Groups Shift Tactics -- THE Journal

Research

Report: Encryptionless Extortion on the Rise as Ransomware Groups Shift Tactics

By Chris Paoli
01/28/26

Ransomware attacks continued to climb in 2025 as attackers increasingly timed operations around year-end staffing gaps and shifted away from traditional file encryption, according to a new report from NordStellar.

The report shows ransomware incidents increased 45% from the previous year, climbing from 6,395 cases in 2024 to 9,251 in 2025. Activity picked up late in the year, with December accounting for 1,004 incidents, the highest monthly total recorded over the past two years. Smaller manufacturing organizations were among those most frequently targeted.

"In the final quarter of 2025, ransomware groups exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring," said Vakaris Noreika, a cybersecurity expert at NordStellar. "However, the trend has been upward the whole year."

Separate analysis from Symantec and Carbon Black's Threat Hunter Team reported that ransomware actors publicly claimed 4,737 attacks in 2025, slightly higher than the 4,701 recorded in 2024. When encryptionless extortion incidents were included, total extortion activity rose to 6,182 attacks, a 23% increase year over year.

Manufacturing Sees the Most Pressure

Manufacturing organizations experienced more ransomware activity than any other sector in 2025. NordStellar data shows manufacturing accounted for 19.3% of all ransomware incidents, with 1,156 attacks recorded during the year, a 32% increase from 2024. In contrast, the education sector accounted for 3.6% of attacks in 2025.

Smaller firms bore the brunt of that activity. Companies with up to 200 employees and annual revenue of $25 million or less were targeted more often than larger enterprises.

The U.S. continued to account for the majority of ransomware activity, representing 64% of reported cases worldwide. NordStellar tracked 3,255 attacks against U.S.-based organizations, up 28% from the prior year. Canada and Germany also saw sharp increases.

"SMBs are attractive targets for ransomware attacks because they often lack security staff and tools and operate within limited cybersecurity budgets," Noreika said. "Smaller organizations are also more likely to rely on outdated software, have limited security monitoring, and rely on external vendors for IT support."

Ransomware Groups Reshuffle

Changes in targeting coincided with broader shifts in the ransomware-as-a-service ecosystem. Several established groups shut down during 2025, while newer operations expanded by absorbing displaced affiliates.

Qilin emerged as the most active ransomware operation, with 1,066 cases, a 408% increase from 2024. Akira followed with 947 cases, up 125% year over year.

RansomHub, which led ransomware activity earlier in the year, went offline in April after internal disagreements. LockBit had already ceased operations following major disruptions in late 2024.

Symantec identified 134 ransomware groups active in 2025, compared to 103 in 2024, a 30% increase.

Extortion Without Encryption

Attack techniques continued to evolve as more groups abandoned file encryption in favor of pure data extortion.

The Snakefly group, which operates Cl0p ransomware, played a prominent role after exploiting zero-day vulnerabilities in enterprise software. In October, the group targeted Oracle E-Business Suite users through a critical vulnerability, CVE-2025-61882. According to Symantec, the vulnerability had been exploited since August.

Researchers also tracked the emergence of Warlock ransomware, which appears to originate from China rather than traditional ransomware strongholds. Warlock was first observed in June 2025 and gained attention the following month after exploiting a zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770.

"The involvement of Chinese espionage actors in ransomware is a growing phenomenon," Symantec's report said. "The attackers behind Warlock appear to be a different breed of cybercriminal, where cybercrime is one of the group's core activities and not a sideline."

Preparing for 2026

Security researchers say organizations should assume ransomware pressure will continue to rise.

"Given the surge in 2025, ransomware incidents in 2026 are likely to exceed 12,000," Noreika said. "Businesses, especially SMBs and those operating in industries where operational downtime is unacceptable, should be on high alert and reassess their preparedness to combat ransomware."

Security firms continue to recommend basic controls such as regular patching, multifactor authentication, and offline backups to limit disruption when attacks succeed.

For the full report, go to the NordStellar site.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

E-Mail this page

Printable Format

Featured

NWEA Report Offers Natural Disaster Recovery Strategies

The Northwest Evaluation Association (NWEA), a K–12 assessment and research organization, recently announced the release of a new playbook for schools and communities recovering from extreme weather events.
Code.org Reinvents Hour of Code as Hour of AI

Education nonprofit Code.org has partnered with CSforALL to launch the Hour of AI, a global initiative providing learning activities for AI education.
Brainly Introduces Guided Audio Sessions for Mindfulness and Mental Health

Learning platform Brainly has announced ClarityPods, a library of audio sessions designed to help improve students' focus, emotional regulation, and self-belief.
THE Journal Announces 2025 Product of the Year Winners

Eight companies were selected as winners for their product achievements.