One of the most significant developments in ransomware attacks reflects the high value that data holds in our economy as a commodity. And like any commodity that fetches a high price, cybercriminals will find ways to steal, exploit and monetize it for their own gain.
Where encryption was once the central aim of ransomware attacks, it has now been relegated to a supporting role, and data exfiltration has become the weapon of choice.
It means that we have entered the era of post-modern ransomware.
Today’s attackers are no longer content to simply lock systems and wait for payment; rather, they will seize data first and use it as immediate leverage – selling it, exposing it or holding it hostage.
While locked systems can usually be restored given enough time, data theft can’t be reversed, leading to months or even years of disruption, be it lost revenue or even costly lawsuits from disgruntled customers.
Supercharged by artificial intelligence (AI), these operations are faster, stealthier and more manipulative than ever before, and their real target is the data that is the beating heart of modern business.
From encryption to exfiltration
For more than a decade, ransomware was synonymous with encryption – systems locked, files scrambled and businesses forced to pay for the privilege of regaining access to their own data. That model has now been well and truly eclipsed. Exfiltration-first attacks have re-written the rules, with stolen data providing criminals with a faster, more reliable payday than the complex mechanics of encryption ever could.
The threat of leaking data like financial records, intellectual property, and customer and employee details delivers instant leverage. Unlike encryption, if the victim stands firm and refuses to pay up, criminal groups can always sell their digital loot on the dark web or use it to fuel more targeted attacks.
As seen with recent incidents – such as the spate of attacks on UK retailers like Harrods, Marks & Spencer, and Co-op – encryption remains a useful tool, the ‘shock and awe’ show of force enabling cyberattackers to create an immediate impact. But with recent estimates showing that 95% of ransomware attacks now involve data exfiltration, it is clear the economic centre of gravity has shifted.
AI as the attacker’s force multiplier
The increased confidence and aggression of ransomware gangs are enabled by their adoption of the latest digital tools. Like many legitimate businesses, cybercriminal groups are exploring AI to strip away the manual labour that once slowed their campaigns. Even the smallest groups can strike with the scale and sophistication of established syndicates.
Phishing emails, once known for being riddled with tell-tale grammar and spelling mistakes, are now polished, personalized and delivered in perfect English. AI-powered deepfake voices and videos are providing convincing impersonations of executives or trusted colleagues that have defrauded companies for millions.
At the same time, attackers are deploying custom chatbots to manage ransom negotiations across multiple victims simultaneously, applying pressure with the relentless efficiency of machines.
Fuelled by AI, criminal groups can better exploit tactics like multi-factor authentication (MFA) fatigue, in which victims are bombarded with endless prompts until the strain of constant alerts produces a single slip. Automating deception and magnifying human error makes AI a powerful accelerant for exfiltration-first operations that previously required far more time, expertise and resources.
The psychological battlefield
While technical advances are fuelling new tactics, ransomware has always been about more than technology – it’s also a contest of willpower. Adversaries wage a psychological battle on the defenders, hoping to exhaust and distress them until they give in to the pressure.
There are two prominent psychological aspects. First, attackers apply increasingly devious methods to deceive their victims and achieve the initial breach. The use of targeted phishing and deepfakes adds an unsettlingly personal aspect to the attacks.
Once the attack has succeeded, fear, fatigue and confusion are weaponized as much as malware, with the looming threat of disruption and data loss taking a heavy psychological toll.
The resources of security teams also play a part – these are individuals who are already stretched thin against a torrent of alerts, overtime and scrutiny, leaving stress and burnout to weaken their defences further. In this new reality, humans themselves have become the primary attack surface.
Rethinking resilience – defending both data and people
As attackers have shifted their focus from disruption to data, then resilience must evolve in kind. On the technical front, the priority is to spot the warning signs of compromise before data leaves the network: unusual MFA activity, sudden spikes in outbound traffic or unexpected attempts to move sensitive files. Preventing exfiltration of data in real-time at the source robs attackers of the very leverage that fuels their campaigns.
Yet resilience is not simply a matter of dashboards and detection thresholds – it is equally about supporting those on the frontlines. Security leaders already working punishing hours under relentless scrutiny cannot be expected to withstand endless fatigue and a culture of blame without consequence. Organizations must also embed support for their teams into their response frameworks, from clear lines of communication and decompression time to wellbeing checks. CISOs and other security leaders need to be strategically empowered, rather than ending up as the fall guys when attacks succeed. True resilience is both technical and cultural, a recognition that protecting systems is futile unless the people behind them are also protected.
Preparing for the new wave of ransomware
Ransomware has entered a post-modern phase, and attackers now rely on psychology as much as code, exploiting stress, fatigue and fear to breach the strongest defences. Organizations must be prepared for highly personalized attacks that will target their most valuable assets and exploit their workforce at every level. Resilience is measured not only in restored systems or recovered data, but also in how well they protect and preserve the people who defend them.
