Data is the hostage: ransomware’s second act

Ransomware became famous for encryption, but it’s going through a shift with serious consequences for victims: data theft increasingly arrives before the locks go on. Darktrace’s Annual Threat Report 2026 describes ransomware incidents in the Americas where adversaries include pre-encryption data exfiltration – a pattern that supports double extortion, and in some cases triple extortion.

For cybersecurity practitioners, that sequence changes what ‘containment’ means. You can halt encryption and restore backups. But stolen data keeps generating risk across weeks and months: regulatory scrutiny, customer notification, legal action, follow-on fraud, and recurring extortion attempts.

The model rewards attackers who treat operations like a supply chain. Access, movement, exfiltration, encryption, negotiation, monetisation – each step can be delivered by specialists.

Manufacturing sits at the centre of the pressure model

The same Darktrace Americas section makes it clear why certain sectors feel the squeeze. Manufacturing accounts for 17% of all recorded incidents in the region, and it represents 29% of recorded ransomware incidents.

That is, at least in part, because manufacturing brings a set of extortion-friendly conditions: 

• Operational downtime costs money quickly
• Supply chain dependencies propagate disruption
• Hybrid environments combine modern SaaS with legacy systems and OT-adjacent infrastructure

Attackers know that business leaders in these environments calculate impact in hours, not quarters.

Regions show how extortion adapts to local conditions

Darktrace’s regional breakdown is valuable, because it shows extortion behaving like an economic system – adjusting to what works.

In Latin America, the report notes a rapid shift from traditional ransomware to data-leak extortion and information-stealing malware, with a focus on credential theft and sensitive data exfiltration. Even when encryption happens, the leverage often comes from exposure and pressure rather than access to a decryption key.

In Africa, the report points to fast growth and high consequences. Darktrace states ransomware increased 60% year-over-year, ransomware-related activity accounted for 39% of incidents, and data exfiltration appeared in 25% of cases. The same section identifies phishing as a leading entry point at 43%. These are the ingredients of a repeatable business model: low-cost entry, scalable operations, monetisation through disruption and exposure.

Data protection determines how much leverage attackers can apply

Thales supplies a statistic that explains why extortion works so well in cloud-heavy environments: only 47% of sensitive cloud data is encrypted.

Encryption doesn’t prevent theft in every scenario, and it doesn’t eliminate all forms of misuse. But it does change the economics. Plaintext data gives attackers immediate leverage, and it widens the set of victims affected by the incident to include customers, partners, employees, and regulators.

The same Thales report also points to operational risk as a recurring breach contributor: misconfiguration or human error is cited as the most common cause by 28% of respondents whose organisation experienced a data breach. That kind of failure mode feeds extortion – because attackers hunt for the easiest path to readable data.

The ecosystem grows as the business model proves itself

IBM’s X-Force reporting shows how crowded the extortion market has become. A 49% increase in active ransomware groups versus 2024, and 109 ransomware extortion groups identified in 2025 (up from 73 in 2024).

More groups mean more variability. Some operators run careful intrusions, and others run noisy smash-and-grab campaigns. But the aggregate result still looks the same for victims: heightened frequency, shortened timelines, and pressure applied through multiple channels.

For cybersecurity practitioners, there are some key learnings here to integrate into your ransomware protection and response planning: 

• Assume exfiltration is part of the incident. Build response plans around data exposure: legal, comms, customer impact, and regulatory obligations.
• Raise the cost of readable data. Prioritise encryption for sensitive cloud stores and tighten data handling pathways.
• Measure risk through business impact. Manufacturing’s incident and ransomware concentration highlights how quickly operational pressure turns into payment pressure.

Modern ransomware behaves like a market for leverage. You can reduce exposure by treating data as an asset that needs constant protection – and by planning response around long-tail pressure, rather than short-term recovery.