Data Theft Overtakes Encryption
Cybercriminals continue to refine their tactics, with data theft now dominating ransomware attacks. Meanwhile, business email compromise (BEC) schemes are becoming increasingly significant.
Ransomware tactics are evolving rapidly, with business email compromise (BEC) emerging as a growing threat. Despite heightened law enforcement efforts, ransomware attacks still account for the largest share of recorded incident response (IR) cases, making up 44 percent. As companies bolster their backup strategies for quicker recovery, cybercriminals have shifted their approach. Now, data exfiltration is a near-universal feature of these attacks, occurring in 96 percent of analyzed ransomware cases. Attackers steal sensitive data to either sell on the black market or use as leverage, threatening to expose customer information or other confidential business details. These insights come from the latest Arctic Wolf Threat Report.
Average Ransom Nears $600,000
The manufacturing and healthcare sectors are especially vulnerable to these attacks. With little tolerance for downtime, breaches in these industries cause significant disruption, and stolen personal data—particularly in healthcare—becomes a powerful bargaining chip for extortion. The average ransom demand holds steady at $600,000, consistent with last year’s figures. However, analysis reveals that companies employing professional ransom negotiators can often reduce these demands considerably.
Business Email Compromise (BEC) remains a persistent threat, representing 27 percent of observed IR cases and ranking as the second most common fraud tactic. Organizations that frequently handle financial transactions or payment data via email are prime targets. The finance and insurance sector, for instance, accounted for 26.5 percent of BEC-related IR cases—nearly double the rate of the next most-affected sector, legal and administration. In fact, BEC incidents comprised over half of all IR cases in finance and insurance.
“Phishing and compromised credentials continue to drive BEC attacks,” says Sebastian Schmerl from Arctic Wolf. “AI is empowering attackers to craft increasingly sophisticated and personalized campaigns, meaning awareness training alone isn’t enough to stop every incident—though it does help catch the many poorly executed attempts. Beyond training, companies need robust access controls. Combining password management with modern multi-factor authentication, like biometrics or physical security keys, is essential to block unauthorized access effectively.”
A Handful of Vulnerabilities Exploited Repeatedly
Intrusions rank third among recorded IR cases, constituting 24 percent. In 2024, over 40,000 security vulnerabilities were documented, with critical and severe vulnerabilities surging by roughly 134 percent. Yet, in three-quarters of intrusion cases, attackers exploited just ten well-known vulnerabilities—all of which had available patches.
Most incidents targeted remote access tools and externally facing systems or services. In some instances, attackers capitalized on misconfigurations, such as open ports, exposed internal websites, or administrative accounts vulnerable to brute-force attacks. This underscores the critical need for proactive patch management.
“Every unpatched system is an open invitation for attackers—and cybercriminals know it,” warns Sebastian Schmerl. “Effective vulnerability management, including automated patching and continuous monitoring of the attack surface and threat landscape, is vital to reducing the risk of successful breaches.”
See the full report
Arctic Wolf, which operates one of the world’s largest commercial Security Operations Centers (SOCs), compiled this report using data from threat intelligence, malware analysis, digital forensics, and incident response cases across its comprehensive security operations framework.
