Arctic Wolf: Why Cybercriminals Steal First, Extort Second
Cybercriminals have shifted their approach in response to organisations improving their ability to recover from ransomware: steal first, extort second.
Over the last year, attackers have turned to stealing data rather than locking it up for ransom to increase leverage, with 96% of ransomware cases including data theft. This is one of several key trends at the heart of a significant shift in cybercriminal behaviour highlighted in Arctic Wolf’s 2025 Threat Report.
The report leverages insights from Arctic Wolf’s incident response engagements and threat intelligence research to provide a detailed examination of the tactics, techniques and procedures (TTPs) attackers are increasingly using to outmanoeuvre traditional defences.
It underscores a critical shift in the sophistication and adaptability of cybercriminals, who are also leveraging new technologies like AI and automation to scale attacks, exploiting vulnerabilities to infiltrate organisations more effectively and focusing on new ways to bypass stronger security defences.
The evolving approach to ransomware
One of the most significant findings is the continued dominance of ransomware – over the 12-month period covered by the report, ransomware and data extortion cases accounted for 44% of incident response cases.
Arctic Wolf says it’s likely these kinds of attacks will remain everyday threats for organisations in the future, particularly as the risk-versus-reward calculation continues to provide strong incentives for attackers.
More than 50 unique threat actor groups were recognised by the research, representing a ‘democratisation’ of ransomware that comes from low barriers to entry for criminals and the growth of ransomware developers writing and leasing their own attack software.
Data theft as part of ransomware attacks is increasingly common, as attackers look for new points of leverage to extort money.
“Data exfiltration has become the norm, not the exception,” says Kerri Shafer-Page, Arctic Wolf’s Vice President of Incident Response. “Threat actors are no longer just locking up data with ransomware; they’re stealing it first to maximise pressure on victims.”
Critical areas of vulnerability
Alongside ransomware, business email compromise (BEC) and intrusions represent the most common types of attack on organisations. BEC incidents are the second-largest cause of incident response cases, with threat actors following the money by targeting industries such as finance and insurance.
These kinds of attacks have evolved beyond traditional attempts to initiate fraudulent transfers, to a broader focus that encompasses account compromise, data theft, falsifying invoices and product theft.
Given the email-borne nature of the threat, Arctic Wolf finds an increasing use of social engineering and phishing attacks.
These are becoming more sophisticated, using personalised and context-aware tactics to trick employees into revealing sensitive information or clicking on malicious links. Human error remains a significant vulnerability, says Arctic Wolf, pointing to the importance of employee training and awareness programmes.
Other key findings include the increased targeting of cloud environments as businesses migrate more of their operations to the cloud, which creates new attack surfaces.
Cloud misconfigurations, compromised credentials and vulnerabilities in cloud applications are being actively exploited by threat actors. This means that traditional security measures, often focused on on-premises infrastructure, are no longer sufficient.
The report also emphasises the growing prevalence of supply chain attacks. These exploit vulnerabilities in third-party vendors and suppliers, allowing attackers to gain access to a wide range of target organisations through a single point of entry.
Recommendations for enhanced enterprise security
Based on these findings, Arctic Wolf offers several key recommendations for security leaders.
Organisations should focus on embracing a security operations approach, recognising that traditional point solutions are no longer adequate. Instead, a more holistic view of security including continuous monitoring, threat detection and incident response, is essential.
Cloud security through the implementation of robust access controls, regularly auditing cloud configurations and leveraging cloud-native security tools is critical, as is enhancing vendor risk management processes.
Lastly, organisations must recognise the human-centric nature of many vulnerabilities, particularly around email compromise. To this end, investing in employee training and awareness programmes is a key factor in threat mitigation.
This can help to reduce the risk of social engineering and phishing attacks, empowering employees to be the first line of defence moving forward.
Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.
Discover all our upcoming events and secure your tickets today.
Cyber Magazine is a BizClik brand
- Diving Into Fortinet's Unified Agentic AI Platform FortiSOCTechnology & AI
- Acquisitions Signal Accenture's Bold Bet on CybersecurityOperational Security
- How BT Uses Anthropic's Frontier AI to Halt Cyber AttacksCyber Security
- NTT DATA: Insurance Industry's US$700bn Cyber Risk ChallengeCyber Security