Ransomware hasn’t gone away in 2025—it’s evolved. From shifting extortion models to major changes in data hosting and access, the latest threat actor tactics are forcing security teams to rethink how they assess risk during and after an incident.
In this episode of Leaky Weekly, our cybercrime current events podcast. Tammy Harper, Senior Threat Intelligence Researcher at Flare, joins host and security researcher Nick Ascoli to discuss how ransomware groups are adapting in 2025, why data-only extortion isn’t catching on, and how access to leaked data is shaping both victim decision-making and long-term exposure.
Tune in for the podcast below at Spotify, at Apple Podcasts, check out the video episode on YouTube, and/or keep reading this article for the highlights.
Extortion-Only Still Isn’t Working
Each year, we hear predictions that ransomware will shift away from encryption and toward extortion-only attacks. And each year, that shift doesn’t fully happen.
Why not? There’s no real business model behind pure data theft. Hosting and distributing terabytes of data is expensive—especially when groups try to use bulletproof hosting, rented VPSs, or seeding services. Threat actors offset their infrastructure costs to the victim with encryption, and extortion-only actors foot the bill themselves—and often can’t afford it.
Most threat actors still use double extortion. Encrypting data gives them leverage, and exfiltrating data creates pressure. Purely stealing data is costly, logistically harder, and rarely pays off.
What’s Changing in 2025
That said, there are some notable shifts in how threat groups are operating.
- More attacks on virtual infrastructure: Groups like DragonForce and Quilin are specifically targeting ESXi environments. Misconfigured hypervisors mean more disruption, faster.
- File-by-file leak sites: Instead of offering torrents or bulk zips, many leak sites now let you browse and download individual files through a panel. These panels often use JavaScript challenges and token-based anti-scraping protections.
- Distribution bottlenecks: Some groups are using torrents (like Akira), but seed rates are inconsistent. Others (like RansomHub) actively block bulk downloads, making scraping or copying data slow or impractical.
Leak threat severity varies. If a group’s data has never been downloaded in full, the public threat may be limited—but the private risk is still real.
Public vs. Private Distribution
Even when public downloads are difficult or nonexistent, private distribution often continues behind the scenes.
Some groups distribute large datasets privately through:
- High-speed FTP servers
- Encrypted NAS drives
- Telegram (as Medusa did in 2023)
One important nuance: the lack of public access doesn’t mean a breach isn’t serious. It just means attackers are choosing to limit access—or sell to a select few.
Groups Innovating with Extortion Tactics
A few emerging groups are experimenting with unique models:
Weyhro
This group exfiltrates data without encryption and uses ChatGPT to summarize breach contents in bullet form. Their summaries are often grammatically perfect, making it obvious they’re machine-written.
Anubis
Operating as a broker or intermediary, Anubis sells data on behalf of others. They craft reputationally damaging narratives and publish evidence to support their claims. They’ve even notified regulators (like the U.S. SEC) to pressure victims into disclosure.
Their tactics resemble past actors like Snatch and Meow Leaks, but with more polish—and more focus on regulatory compliance deadlines as leverage.
Operational Challenges Behind Leak Sites
Infrastructure matters. Some groups (like Cl0p) offer fast, reliable downloads. Others (like Play) implement aggressive restrictions that require manual workarounds to even get a single file.
In some cases, groups fail to distribute their own leaks altogether. But others quietly build large collections of breach data, offering it to buyers or partners in private. The infrastructure and ease of access behind a leak site can dramatically affect:
- Whether victims feel pressured to pay
- Whether journalists or researchers can assess impact
- Whether threat actors can resell or weaponize stolen data
What Can Security Teams Do to Protect Against Ransomware Groups?
- Don’t underestimate double extortion. Extortion-only models still struggle due to infrastructure costs and limited resale value.
- Track threat group infrastructure. Some groups make exfiltrated data widely available. Others restrict it—intentionally or not.
- Expect data to surface privately. Even when leak sites are down or scrubbed, assume the data is circulating somewhere.
Leaky Weekly and Flare Academy
For a deeper dive into these trends, listen to the full episode at YouTube, Spotify, or Apple Podcasts.
Join us at Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications.
Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick and Tammy!), and more.
