Why Data Is Now the Real Target

Ransomware-as-a-Service is collapsing as attackers abandon noisy encryption in favor of fast, AI-driven data exfiltration, making unstructured data protection—not endpoint recovery—the defining challenge for modern cyber defense.

The Quiet Collapse of Ransomware-as-a-Service — and Why Data Is Now the Real Target

Estimated reading time: 4 minutes

Table of Contents

 

    1. Introduction: It Was Always About the Data
    2. The Affiliate Model Collapsed Under Poor Incentives
    3. Victims Stopped Behaving Predictably—and That Breaks RaaS
    4. RaaS Platforms Became Obvious Targets(2025 Update)
    5. Payment Behavior Reveals the Real Trend
    6. AI Is Accelerating the Demise of RaaS
    7. What This Means for Defenders


By Ed Dubrovsky, CISSP, OSCP, PMP, MBA, MSc,

Introduction: It Was Always About the Data

Data exfiltration is now the dominant tactic, preceding encryption in an estimated 72% of cases.* One common trend we observed in 2025 in practice, and one that we have been discussing for several years since FileFlex became the de facto ransomware risk deflator via unstructured data zero-trust controls, is that the focus was clearly shifting to data.

We believed it was always the data that posed the greatest risk, and with AI in the mix, with the ability to train on data and produce relevant insights in seconds, the threat actors are realizing that this is where the focus must be.

This change in focus is changing the RaaS (Ransomware as a Service) business model, which dominated the cybercrime arena since roughly 2017.

RaaS is not breaking because cybercrime is shrinking; it’s losing relevance because endpoint encryption is disappearing, and with it, the need for developers and paying RaaS operators for an element that is not being used.

Specifically, the following elements are introducing the collapse of RaaS and the increase in focus on SPEED, IMPACT, and Data Exfiltration. Moreover, the following elements are driving this change:

  1. The Affiliate Model Collapsed Under Poor Incentives

 

RaaS worked when highly skilled developers were required to build malware, and less-skilled affiliates handled the other attack layers, such as access and deployment. In return, profits were split cleanly.

Ransomware was never really about systems—it was always about data All that is old history, and while some RaaS operators are trying to hang on, it is becoming clear that affiliates are focused on data theft only and skip encryption. This is completely logical because the encryption stage is always a very noisy affair, while data theft could potentially be overlooked by traditional security controls.

This is referred to frequently as a single-phase or single-shot extortion.

Moreover, with increase Law Enforcement action against RaaS platforms, trust in the platforms is diminishing, and trust is everything to RaaS.

However, some RaaS platforms are refusing to give up, but it is what I consider to be the final death throes of the ecosystem, and it is resulting in a rapid demise because developers are squeezing affiliates to compensate for the loss in revenues, are withholding decryptors, and some are running exit scams.

  1. Victims Stopped Behaving Predictably—and That Breaks RaaS

 

Remember the days when backups were not viable or did not exist? Most companies have responded, and in the majority of matters, this meant that decryptors are needed and an extensive recovery is required to get back to operations.

This is no longer the reality on the ground.

Organizations have invested the majority of their budgets in controls to prevent encryption. They are not sufficiently focused on preventing data exfiltration. What I term the “silent killer”.

Because of that shift, RaaS is failing as it requires victims to panic, that boards would pay for speed, and that Cyber insurance carriers would cover payment of ransom.

This encouraged the mindset of “This is the cost of doing business”.

Aaffiliates are skipping encryption altogether and focusing exclusively on data theft The reality now is that carriers have introduced aggressive exclusions, OFAC/Sanctions fears are increasing because negotiation and payment firms have failed in many cases to create a truly compliant and comprehensive compliance program to protect carriers, legal counsel, and companies.

Recovery firms became a cost factor that no one could really estimate, and recovery-at-scale was unattainable. However, where there is no encryption, there is little to no need for recovery.

  1. RaaS Platforms Became Obvious Targets

 

RaaS failure is that it places a very clear target on the platform, by LE and competitors alike. Affiliates are not looking for the bright lights, while RaaS platforms were looking for the “getting famous” aspect, and those two needs contradicted each other.

  1. Payment Behavior Reveals the Real Trend

 

When it comes to payment, the majority of encrypted attacks decide not make a payment. Since they need to recover systems regardless of whether a decryptor is available or not, more than 75% of firms opt not make a payment. However, in matters of data exfiltration, that figure is turned on its head. More than 55% of companies with data exfiltration are opting to make a payment. And based on statistics from CyberSteward, if the quality of data exfiltrated is considered sensitive, almost 100% of companies are opting to make a payment.

These statistics are confusing when intermingled, but when separated, a clear trend emerges.

RaaS was primarily built to lock and ransom, not leak-and-pressure. The market changed, the product did not.

  1. AI Is Accelerating the Demise of RaaS

 

Analysis of data is producing quality and impact faster than ever before, and enables threat actors to monetize while the victim is under pressure and uncertainty. There is no longer a need for a platform, a brand, a support desk, or a payment broker. All that is required for an efficient operation is access to AI models, access to an organization, the data, and a pressure narrative.

What This Means for Defenders

For these reasons, defenders must reconsider priorities and how to achieve the objectives of protecting the perimeters, but more so, the data that is the lifeblood of most, if not all, organizations today.

FileFlex Enterprise is uniquely positioned to protect the unstructured part of data with clean integration into existing monitoring controls, as it introduces a unique data access to unstructured data elements using zero-trust concepts that are decades old, proven in military systems, and now brought up to the commercial space using intuitive interfaces and rock-solid technology and encryption.

However, the important element that must be highlighted is that the FileFlex Enterprise capability is completely incompatible with any threat actor attack chains and, most importantly, existing skillsets, and there is always something to be said about not being the lowest hanging fruit.

For further reading see Why Data Exfiltration Defines Modern Breaches, How to Enforce Zero Trust Access Control to Mitigate Data Breach and Ransomware, How to Reduce Ransomware Risk Using Zero Trust Data Access (ZTDA), and How to Reduce the Risk of Ransomware with the Zero Trust Platform of FileFlex Enterprise.

*CompareCheap SSL

Learn More About FileFlex   Sign Up for a Free Trial  

Frequently Asked Questions

Why is Ransomware-as-a-Service (RaaS) becoming less effective?

RaaS depends on endpoint encryption to force payment, but modern defenses, backups, and recovery strategies have made encryption noisy, unreliable, and increasingly ignored by victims.

Why are attackers shifting from encryption to data exfiltration?

Data theft is quieter, faster, and more profitable—especially with AI enabling rapid analysis and monetization of stolen data while victims face regulatory, legal, and reputational pressure.

How does AI accelerate the decline of traditional ransomware models?

AI removes the need for centralized ransomware platforms by allowing threat actors to extract value directly from stolen data without malware brands, payment brokers, or affiliate ecosystems.

How does FileFlex address modern data-centric cyber threats?

FileFlex applies zero-trust access controls to unstructured data, preventing unauthorized access and exfiltration in ways that are fundamentally incompatible with modern attacker techniques.

Author
Published
February 12, 2026
Categories
Ransomware

Ed Dubrovsky, CISSP, OSCP, PMP, MBA, MSc, is a seasoned entrepreneur, executive, technical leader and board advisor to Qnext with more than three decades of experience in cybersecurity, risk mitigation, and incident response. He has directly managed over 11,000 security incidents, including ransomware, business email compromise, malicious insider activity, extortion, executive protection scenarios, and large-scale post-breach recovery programs. Ed has founded and scaled global cybersecurity companies employing hundreds of professionals and has been involved in incident response and risk mitigation efforts for Fortune 50 organizations across military, defense, public sector, and private-sector environments. He is a frequent industry speaker and media contributor on cyber-risk, emerging threats, and connected and AI-driven systems, and is currently working on his first book examining cyber-risk from the perspective of a ransomware negotiator.

 Why Microsoft-Centric Security Isn’t Enough: The Case for Zero Trust Data Access