Ransomware and Data-Extortion Groups Expand Pressure Tactics as Some Mass-Theft Campaigns Lose Leverage
Ransomware operations are increasingly industrialized, shifting from simple file encryption to multi-stage extortion that combines encryption, data theft/leak threats, DDoS, and in some cases direct pressure on third parties such as customers, partners, or regulators. This “quadruple extortion” model has been associated with major groups including ALPHV/BlackCat, CL0P, and LockBit, reflecting a broader trend toward scalable, high-tempo campaigns designed to maximize coercion and revenue.
At the same time, incident-response reporting indicates some zero-day-driven, downstream mass data-theft extortion campaigns—popularized by CL0P against widely used file-transfer platforms—are becoming less effective at driving payments, as organizations better understand that paying for “data suppression” does not remove notification obligations or meaningfully reduce litigation and re-extortion risk. Separately, GuidePoint assessed with high confidence that the new “0APT” leak site’s claimed victim list is largely fabricated (or recycled from other groups) and likely intended to enable opportunistic extortion, re-extortion, or affiliate fraud; organizations named by 0APT were advised to validate impact via concrete indicators (e.g., ransom note, encryption, direct communication) before treating the posting as evidence of compromise.
Timeline
Feb 9, 2026
0APT site returns with a shorter victim list
On February 9, 2026, 0APT's site reappeared with a reduced list of more than 15 large multinational companies. The change appeared aimed at making the operation look more credible after earlier allegations of fabrication.
Feb 8, 2026
0APT site goes offline after public scrutiny
After researchers publicly questioned its claims, 0APT's leak site went offline on February 8, 2026. The outage followed growing scrutiny over whether the group had actually breached the organizations it named.
Feb 5, 2026
Researchers find signs 0APT is fabricating victim evidence
By early February 2026, researchers and incident responders concluded that 0APT was likely faking many victim claims, including by presenting meaningless streamed data as supposed evidence files. At least two named organizations investigated and found no intrusion, ransom note, or direct contact attributable to the group.
Jan 25, 2026
0APT leak site appears and rapidly posts 200+ claimed victims
In late January 2026, the data-extortion group 0APT emerged with a leak site and listed more than 200 alleged victims in about a week. Its rapid growth initially resembled a rebrand or splinter operation before researchers identified anomalies.
Feb 1, 2025
CL0P claims 385 attacks within weeks in February 2025
In February 2025, CL0P reportedly took responsibility for 385 attacks within a few weeks, a volume described by TechRadar as a record for a single group in one month. The claim illustrated the industrial scale of modern extortion operations.
Jan 1, 2025
CRM-focused extortion attacks in 2025 are mainly attributed to ShinyHunters
During 2025, another broad extortion campaign targeting CRM-related data was attributed primarily to ShinyHunters. As with earlier mass-theft events, payments by affected downstream victims were reported to remain uncommon.
Jan 1, 2024
Snowflake-related mass data theft campaign hits multiple victims
In 2024, a large-scale extortion wave tied to Snowflake-related breaches affected numerous organizations, but incident responders reported that downstream victims were generally unlikely to pay. The campaign was cited as evidence that mass data-theft extortion was becoming less effective.
Jan 1, 2023
CL0P popularizes zero-day downstream mass data extortion
CL0P established a large-scale extortion model in which zero-day vulnerabilities, often in file transfer software, were exploited to steal data from many downstream victims and pressure them to pay for supposed deletion. This marked a shift from traditional ransomware toward mass data-theft-driven extortion.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
**Data-extortion intrusions increased sharply last year**, with Intel 471 tracking roughly **6,800 extortion-driven attacks**—about **63% higher than 2024**—and attributing much of the growth to heightened activity from **Qilin**, **Sp1d3r Hunters**, and **Clop** operations. More than half of impacted organizations were in the **United States**, with frequent targeting of **consumer and industrial product vendors, consulting firms, and manufacturing**; Intel 471 also assessed that **initial access brokers** increasingly focused on **remote access portals** as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over **40% of 520** reported bugs) and forecast that **AI** will likely *accelerate* exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions. Broader threat reporting described a **fragmenting cybercrime economy** under law-enforcement pressure, with more **new ransomware variants** derived from leaked code and a more **modular “supply chain”** of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how **low-tech social engineering** remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new **“Insomnia” data-theft** brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by **repeatable access paths** (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
1 months ago
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
1 months ago
Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate **ransomware/data-extortion activity remained elevated through 2025 into early 2026**, with threat actors increasingly emphasizing **data theft, public pressure, and supply-chain leverage** rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at **6,604 recorded ransomware attacks** (up **52% YoY**), with **731 attacks in December** and **2,000+ claims in the last three months of 2025**; the same reporting also notes **supply-chain attacks nearly doubled**, increasing the potential blast radius when service providers are hit. A major example is *Conduent*, where the **January 2025 ransomware attack** is now assessed to have impacted **~25 million Americans** (up from an initial **10 million**), with reporting describing **~8TB of data** stolen including **Social Security numbers and medical data**, alongside days of operational disruption. Separately, Accenture-linked research reported that the **World Leaks** extortion operation added a custom Rust-based tool, **`RustyRocket`**, described as a stealthy **data-exfiltration and proxy** capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how **data leak sites (DLSs)** and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
1 months ago