Global ransomware activity showed a slight two percent decline in overall attack volumes for November of 2025, but threat actors significantly advanced their tactics and operational sophistication, signaling no meaningful reduction in risk for organizations.

Analysts observed that many ransomware groups shifted focus from simple mass targeting to more selective, high-impact victims, prioritizing sectors where operational disruption or data exposure yields higher leverage for extortion.

At the same time, criminal groups expanded their use of double- and multi-extortion techniques by combining system encryption with data theft, threats to leak information, and occasional harassment of customers, partners, or employees to increase pressure on victims to pay.

Investigators reported that encryption-less extortion attacks - campaigns that skip file encryption altogether and instead rely solely on stealing sensitive information - have become an increasingly important part of the overall extortion ecosystem. These operations typically exploit software vulnerabilities, sometimes including zero-day flaws, to gain access and quietly siphon data at scale, allowing criminals to threaten public disclosure, regulatory exposure, or competitive harm without the noise of a traditional ransomware incident.

The growing prominence of such attacks means that organizations can suffer major data breaches and extortion attempts even when their backups and business continuity plans would otherwise mitigate the impact of conventional ransomware encryption.

Source: https://www.scworld.com/brief/ransomware-volumes-dip-but-attack-methods-evolve-sharply

Commentary

In the above source, it notes that online criminals are targeting specific victims of their crimes. When phishing is involved, this is known as "spear phishing".

Spear phishing is a targeted form of online fraud in which criminals tailor convincing messages to a specific person, role, or organization to steal credentials, install malware, or divert money.

Unlike broad phishing blasts, spear phishing messages are customized using details from social media, company websites, news releases, and even breached data, so the communication feels routine and legitimate to the recipient.

Attackers often impersonate executives, vendors, IT support, payroll, or trusted third parties and use familiar language, current projects, or real colleagues' names to lower suspicion. The message usually creates urgency or confidentiality pressure, directing the user to click a link, open an attachment, change banking details, or approve a payment that quietly benefits the criminal.

Criminals are turning to spear phishing because it offers a high return with relatively low overhead and risk. A single successful email can provide direct access to email accounts, remote access tools, cloud applications, or payment systems, enabling follow?on fraud such as business email compromise, payroll diversion, vendor payment redirection, or ransomware deployment.

Here are some steps organizations can take to lower their spear phishing risk:

• Unsolicited or unexpected messages that request or demand action or a response
• Messages suggesting or threatening that bad consequences will occur if there is not a response
• Threatening messages appearing to be from those in positions of power or authority and/or government agencies
• Messages that create a sense of urgency by requesting or demanding an immediate response
• Requests for personal identifiers, credentials, and/or financial information
• Unsolicited or unexpected requests to wire or transfer money
• Requests to transfer money to non-approved or unknown bank accounts or financial institutions
• Unexpected requests to send gift cards, cash cards, or transfer crypto currency
• Messages of offers that appear to be "too good to be true"
• Messages from an unfamiliar sender
• Unsolicited messages from a foreign sender asking you to act as an agent or perform acts on their behalf
• Messages from a known or familiar sender that are sent from an unknown domain/address
• Messages with unsolicited attachments or links
• Unsolicited messages requesting employment with attachments or links
• Requests or demands to override normal protocols, bypass procedures, or act outside the scope of given authority
• Attachments or links with unfamiliar or suspicious file extensions
• Messages with generic greetings
• Word selection that appears foreign or unusual from the sender
• Spelling and/or grammar errors
• Impersonation of well-known companies or government agencies
• Messages sent at unusual times from businesses or agencies
• Impersonation of a coworker or acquaintance from an unknown domain/address