Arctic Wolf has reported an 11-fold increase in data-only extortion incidents over the past year, alongside the continued dominance of ransomware, according to its 2026 Threat Report.
The report, based on hundreds of incident response engagements and threat intelligence investigations conducted in 2025, found that ransomware, business email compromise (BEC) and data-related incidents accounted for 92% of all cases handled by the company.
While ransomware remained the most common incident category, data-only extortion rose sharply, increasing from 2% to 22% of cases year-on-year. Arctic Wolf said the trend reflects a shift by threat actors towards stealing data and threatening publication, rather than deploying encryption, as organisations improve backup and recovery capabilities.
Abuse of remote access technologies also featured prominently. The report found that 65% of non-BEC intrusions originated from misuse of tools such as Remote Desktop Protocol (RDP), virtual private networks (VPNs) and remote monitoring and management (RMM) platforms. This marks a significant increase compared with previous years and highlights attackers’ preference for leveraging valid credentials and trusted access pathways over exploiting technical vulnerabilities.
Pre-ransomware activity — incidents identified before encryption occurred — accounted for 5% of cases, suggesting earlier detection and faster response are preventing some attacks from progressing. In 77% of ransomware incidents, organisations did not pay a ransom. Where payments were made, negotiation reduced initial demands by an average of 67%.
Phishing remained the primary driver of BEC, responsible for 85% of such incidents. The report noted that advances in AI-generated content have made fraudulent messages more convincing and scalable. Arctic Wolf also observed that the most exploited vulnerabilities were linked to CVEs disclosed in 2024 or earlier, underscoring the importance of timely patching and credential management.
In Australia, the report found continued targeting by both cybercriminal and state-linked actors. More than 80% of ransomware victims were concentrated in sectors including manufacturing, construction, business services, healthcare, financial services and logistics.
Small and medium-sized businesses accounted for 71% of Australian ransomware victims identified through leak site data, compared with 29% of enterprises. The most active ransomware groups targeting Australian organisations were identified as Qilin, Akira, SAFEPAY, Kill Security and CL0P.
Arctic Wolf also reported observing adversary-in-the-middle (AiTM) phishing campaigns against Australian organisations, particularly targeting Microsoft 365 accounts. The company said the activity reinforces the need for phishing-resistant multi-factor authentication, conditional access controls, sign-in monitoring and rapid session revocation capabilities.
