ACCORDING to Coveware, mere data exfiltration is no longer lucrative for ransomware groups, and threat actors may increasingly rely on encryption to regain leverage. Following highly successful data-exfiltration-only attacks by known groups such as Cl0p, other gangs targeted MOVEit, Cleo, and Oracle E-Business Suite customers to steal data without encrypting it, but this approach no longer delivers ROI.
Coveware notes that in 2021 the Accellion campaign likely generated tens of millions of dollars, with over 25% of impacted organisations paying a ransom, and roughly 20% paid in the GoAnywhere MFT incident, whereas in MOVEit, Cleo and Oracle EBS incidents less than 2.5% paid and almost none did. Amid record low ransom payment rates, the firm expects ransomware groups to return to encryption, claiming it remains a more effective lever to prompt payment.
In Q4 2025, Akira led activity with about 14%, followed by Qilin with 13% and Lone Wolf with 12%, as the professional services sector saw the most attacks at 18.92% and other sectors including healthcare (15.32%) and technology hardware and equipment (9.91%) were affected.