For a long time, ransomware incidents have followed a predictable pattern. An organization’s systems are locked, critical files become inaccessible, operations slow down or stop entirely, and leadership must decide whether to recover data from backups or pay a ransom.
That pattern still exists today, but recent findings show that the threat has evolved into multiple forms.
A recent industry report based on hundreds of real-world incident response cases reveals that attackers are increasingly moving toward a different strategy. Instead of encrypting data, many are now stealing it and using it for extortion. These “data-only” attacks have increased sharply, rising from just 2 percent of cases to 22 percent within a year, representing an elevenfold jump.
This trend is also reflected in broader industry data. The Verizon 2025 Data Breach Investigations Report treats both encrypted and non-encrypted ransomware incidents as part of a single extortion category. According to its findings, ransomware was involved in 44 percent of the breaches it studied.
Why resilience needs to be redefined
These developments highlight a critical issue. Many organizations still treat ransomware mainly as a problem of restoring operations. Their focus is often on how quickly systems can be brought back online, whether backups are secure, and how much downtime can be managed.
While these factors remain relevant, they are no longer enough to address the full scope of risk.
When attackers shift their focus from disabling systems to stealing sensitive information, the situation changes completely. The priority is no longer just restoring access to systems. Instead, organizations must immediately understand what data has been taken, who owns it, and how sensitive it is.
This includes identifying whether the exposed information involves customer records, regulated datasets, intellectual property, or internal communications. It also requires knowing where that data was stored, whether in primary systems, cloud services, third-party platforms, or legacy storage that may have been retained unnecessarily.
If leadership teams cannot quickly answer these questions, restoring systems will not prevent further damage, including regulatory consequences, reputational harm, or legal exposure.
Data theft is becoming the main objective
Additional reporting reinforces this shift. Data from Coveware shows that in the second quarter of 2025, data exfiltration occurred in 74 percent of ransomware incidents. The company noted that in many cases, stealing data has become the central objective rather than just a step before encryption.
Attackers are no longer focused only on disruption. Instead, they are aiming to maximize pressure by using stolen data as leverage.
Encryption still exists, but its role is changing
This does not mean that encryption-based attacks have disappeared. Many ransomware operations still use a “double extortion” approach, where they both lock systems and steal data.
However, the key change is that data theft alone can now be enough to force payment. This reduces the effectiveness of relying solely on backups as a defense strategy.
Organizations such as the Cybersecurity and Infrastructure Security Agency continue to stress the importance of maintaining secure and offline backups that are regularly tested. At the same time, they warn that cloud-based backups can fail if compromised data is synchronized back into the system and overwrites clean versions.
This underlines a broader reality: restoring systems is only one part of true resilience.
Moving beyond a recovery-focused mindset
The cybersecurity industry is gradually adjusting to these changes. There is a growing emphasis on protecting and understanding data, rather than focusing only on system recovery.
This reflects a more dynamic turn of events. Resilience is no longer just about recovering from an attack. It is about reducing uncertainty about data exposure before an incident occurs.
However, many organizations still measure their preparedness using disaster recovery metrics such as recovery time objectives and backup testing. Even service providers often frame ransomware readiness in these terms.
In a data-driven threat environment, a more meaningful measure of security maturity is whether an organization truly understands its data. This includes knowing where sensitive information is stored, how it moves across systems, who has access to it, and whether it needs to be retained.
Guidance from the National Institute of Standards and Technology supports this approach. Its Cybersecurity Framework 2.0 recommends maintaining detailed inventories of data, including its type, ownership, origin, and location. It also emphasizes lifecycle management, such as securely deleting unnecessary data and reducing redundant systems that increase exposure.
NIST’s incident response guidance further highlights that organizations with clear data inventories are better equipped to determine what information may have been affected during a breach.
The hidden risk of data sprawl
A major challenge for many organizations is uncontrolled data growth. Sensitive information is often copied across multiple platforms, including cloud storage, collaboration tools, shared drives, employee devices, and third-party services.
At the same time, outdated data is rarely deleted, often because responsibility for doing so is unclear. Access permissions also tend to expand over time without proper review.
As a result, organizations may appear prepared due to strong backup systems, while actually carrying significant hidden risk due to poorly managed data.
The bigger strategic lesson
The key takeaway is not that backups are unimportant. They remain a critical part of cybersecurity. However, they solve a different problem.
Backups help restore systems after disruption. They do not protect against the consequences of stolen data, such as loss of confidentiality, reputational damage, or reduced negotiating power during an extortion attempt.
To address modern threats, resilience must become more focused on data. This includes better classification of sensitive information, stronger access controls, improved visibility across cloud and third-party systems, and stricter data retention practices to reduce unnecessary exposure.
Organizations also need to communicate more clearly with leadership and stakeholders about the difference between operational recovery and true resilience.
Ultimately, the organizations best prepared for modern ransomware are not just those that can recover quickly, but those that already understand their data well enough to respond immediately.
In today’s environment, the gap between having backups and truly understanding data is where attackers gain their advantage.
