What happened
Google Cloud analysts from the Google Threat Intelligence Group (GTIG) said ransomware actors are changing tactics as ransom payments and average demands decline. Based on Mandiant incident response investigations across Asia Pacific, Europe, North America, and South America during 2025, the researchers found that attackers are relying more heavily on data theft, targeting smaller organizations, and using secondary monetization strategies as traditional ransomware profits weaken. GTIG reported that confirmed or suspected data theft appeared in about 77% of ransomware intrusions in 2025, up from 57% the year before, while the total number of victim posts on leak sites rose sharply. The analysis also found that REDBIKE accounted for nearly 30% of observed incidents, while groups such as Qilin and Akira expanded as other major ransomware operations weakened.
Who is affected
Organizations worldwide are affected, particularly smaller businesses and enterprises targeted by ransomware groups that are increasingly using data theft and extortion instead of relying only on file encryption.
Why CISOs should care
The findings show that ransomware operators are adapting to lower payment rates by shifting toward tactics that are harder to disrupt, including exfiltration, leak-site extortion, and alternative monetization of access to victim environments.
3 practical actions
Strengthen data theft detection. Monitor for unusual outbound transfers and use of tools such as Rclone, WinRAR, WinSCP, and cloud storage platforms during incidents.
Review resilience against extortion. Ensure backups, containment processes, and recovery plans are strong enough to reduce attacker leverage.
Track ransomware trend reporting. Use GTIG and Google Cloud threat analysis to monitor how ransomware groups are changing tactics and targeting patterns.
For more reporting on cybersecurity developments involving the company, explore our coverage under the Google tag.