Arctic Wolf: Data theft involved in 96% of ransomware cases as threat tactics evolve

By Mia MacGregor

Feb 26 - (The Insurer) - Ninety-six percent of ransomware cases now involve data theft as threat actors evolve in response to stronger backup and restoration capabilities, according to a new report from Arctic Wolf.

The 2025 Threat Report, based on data from hundreds of global digital forensics and incident response cases handled by the Arctic Wolf from Oct. 1, 2023 through Sept. 30, 2024, found that as organisations implement more reliable backup and restoration processes, ransomware operators have turned to data exfiltration as a way to increase pressure and protect their revenue streams.

Despite this, Arctic Wolf said that preparedness remains critical. It noted that organisations were able to leverage backups to aid in recovery in 68% of ransomware incidents.

The report also found that three types of cyber incidents account for 95% of all Arctic Wolf’s incident response cases: ransomware (44%), business email compromise (BEC) (27%) and intrusions (24%).

While their overall share remains steady year over year, the proportion of intrusion cases has increased as ransomware’s share declines.

This shift is no coincidence, the report suggests, as many ransomware attacks are now being stopped before detonation, indicating improved detection capabilities among organisations.

The finance and insurance sector accounted for 26.5% of BEC cases, roughly double that of the second-most targeted industries: legal and government (13.3%).

Additionally, BEC was responsible for 53% of all incident response cases in the finance and insurance industry, making it the only sector where BEC incidents outnumber ransomware cases, according to the report.

“Clearly, organisations that regularly exchange money and process payment details over email are in the crosshairs of BEC attacks,” Arctic Wolf stated.

The report identified unsecured remote desktop protocol and compromised VPN credentials as the leading root causes of ransomware and intrusions, while phishing and previously compromised credentials were responsible for most BEC cases.

Arctic Wolf emphasised the importance of access controls and safeguards, including phishing-resistant multifactor authentication (MFA), as key measures to prevent attackers from gaining initial access and thwarting deeper intrusions.

In 76% of intrusion cases, attackers exploited just 10 specific vulnerabilities, none of which were zero-days. Most were tied to remote access tools and externally facing services, reinforcing the importance of proactive patch management, according to the report.

Arctic Wolf noted that the manufacturing sector led all industries in ransomware cases (18.6%), followed by healthcare (13.1%) and construction (12%).

Legal and government, along with education and nonprofit organisations, each accounted for 11.7% of ransomware incidents.

Median ransom demands remain high at $600,000, which the company said demonstrates that ransomware remains a lucrative business for cybercriminals despite increased law enforcement efforts.

These incidents continue to occur despite massive effort and expense directed toward prevention, Arctic Wolf noted, underscoring that preventative measures alone are insufficient.

While organisations must build strong cybersecurity fundamentals and continuously evolve their defenses, the report emphasised that proactive security must be complemented by reactive capabilities to quickly detect and respond to breaches.

Additionally, Arctic Wolf recommended risk transfer measures, including leveraging cybersecurity warranties and insurance.

“The 2025 Arctic Wolf Threat Report highlights a critical shift in cybercriminal behavior: data exfiltration has become the norm, not the exception,” said Kerri Shafer-Page, vice president of incident response at Arctic Wolf.

“Threat actors are no longer just locking up data with ransomware; they’re stealing it first to maximise pressure on victims.”