Data-only extortion surges as remote access abused

Arctic Wolf has reported a sharp rise in data-only extortion, with incidents up 11-fold year on year, as ransomware, business email compromise (BEC) and data-related incidents continued to dominate its global incident response work.

The security operations firm's 2026 Threat Report draws on incident response engagements and threat intelligence from the past year. Ransomware, BEC and data incidents made up 92% of its incident response caseload in 2025.

Data-only extortion stood out as the fastest-growing category. The share of data incidents rose from 2% to 22% as attackers increasingly stole information for extortion rather than encrypting systems.

Remote access abuse

The report also points to a shift in how intrusions begin: 65% of non-BEC intrusions stemmed from abuse of remote access technologies such as remote desktop protocol, virtual private networks and remote monitoring and management tools.

The pattern suggests attackers are favouring access methods that require fewer technical steps than exploiting software vulnerabilities. "Attackers continue to rely on operational efficiency - logging in instead of breaking in, stealing data instead of encrypting it, and exploiting trusted tools rather than complex vulnerabilities," said Ismael Valenzuela, Vice President, Labs, Threat Research & Intelligence, Arctic Wolf.

Organisations that invested in visibility, identity security and disciplined remote access controls were more resilient, according to Arctic Wolf. It also found that all of the most exploited common vulnerabilities and exposures it tracked were from 2024 or earlier, reinforcing the value of routine patching and credential rotation after vulnerability exposure.

Ransomware outcomes

Ransomware remained the most common incident response category. Pre-ransomware activity accounted for 5% of cases-incidents where earlier detection and faster response stopped attacks before encryption.

Among organisations that faced encryption events, 77% did not pay, Arctic Wolf reported. When a payment was made, professional negotiation reduced demands by an average of 67%.

"Organisations that invested in visibility, identity security, and disciplined remote access controls were far more resilient throughout the year," Valenzuela said.

BEC and phishing

BEC remained a key incident category, with phishing driving 85% of these incidents. Arctic Wolf linked the increase to artificial intelligence, which can make fraudulent messages more convincing and easier to scale.

The findings reinforce a long-running theme in email security and identity protection: many incidents begin with credential theft or social engineering that bypasses perimeter controls. Once attackers gain access to inboxes or authentication tokens, they can redirect payments, request sensitive information, or use compromised accounts as a staging point for broader access.

Australia focus

The report also includes a view of Australia, where Arctic Wolf continues to see pressure from state-linked operators and cybercriminal groups. More than 80% of ransomware victims it observed were in manufacturing, construction, business services, healthcare, financial services, and logistics or transportation.

Small and medium-sized businesses featured heavily. Leak-site data cited in the report indicates Australian SMBs accounted for 71% of victims, compared with 29% of enterprises. Arctic Wolf linked the split to readiness levels and said smaller organisations are facing a growing volume of incidents.

Arctic Wolf named several ransomware and extortion groups as among the most active targeting Australian organisations: Qilin, Akira, SAFEPAY, Kill Security and CL0P.

It has also observed adversary-in-the-middle phishing targeting Microsoft 365 accounts in Australia. The report points to phishing-resistant multi-factor authentication, conditional access, sign-in monitoring and rapid session revocation as defensive measures.

Valenzuela described an Australian environment where disruption risk and readiness gaps can overlap.

"In Australia, we're seeing sustained pressure in industries where even a brief disruption can have significant economic and community impact. At the same time, SMBs are experiencing a growing volume of incidents, which suggests many are still underprepared for the scale and persistence of today's threat activity.

"What is striking is that attackers don't need new tricks when the old ones still work. Threat actors are succeeding not because they're highly sophisticated, but because they're able to exploit weak passwords, poorly managed remote access, and gaps in everyday systems businesses depend on.

"The organisations that are faring better aren't necessarily the ones chasing the latest technology. They're the ones that prioritise visibility, manage identity carefully, and apply real discipline to how access is granted and monitored. When those foundations are in place, incidents are far more likely to be detected early and contained before they turn into major disruption."

The report also argues that early detection changes ransomware outcomes by stopping attacks before encryption or privilege escalation. "We continue to see that early detection completely changes the outcome of an attack," said Kerri Shafer-Page, Vice President of Incident Response, Arctic Wolf.