TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Why Zero-Day Downstream Mass Data Extortion Campaigns are Losing Their Bite

Bill Siegel · 2026-02-04 · Read original ↗

ATT&CK techniques detected

21 predictions
T1657Financial Theft
95%
“the current state of cyber extortion. cl0p developed this playbook during the accellion breach in q1 - 2021. at the time, data exfiltration - only extortion was still a relatively novel tactic. most cyber extortion attacks in 2020 - 2021 involved the encryption of critical system…”
T1486Data Encrypted for Impact
93%
“this erodes the already fragile trust model underpinning dxf - only extortion and further weakens payment as a rational control. threat actor pressure is economic, not reputational dxf - only campaigns persist not because they are highly successful, but because they are cheap to …”
T1657Financial Theft
70%
“why zero - day downstream mass data extortion campaigns are losing their bite table of contentsdata theft campaignspayment ratestypes of ransomwareattack vectorsttpsvictimology q4 of 2025 was marked by the latest large - scale data theft campaign by the cl0p ransomware gang, this…”
T1486Data Encrypted for Impact
69%
“of payment. they may diversify how they use and monetize access to victim networks, beyond direct extortion. and we expect they will continue to downsize their respective operations to minimize overhead costs and risks. ransom payment amounts in q4 2025 average ransom payment $ 5…”
T1003OS Credential Dumping
63%
“rebuilds, and system reinstalls erase telemetry. the data reflects a growing gap between observed impact and real - world disruption, not diminished operational damage, as attackers continue to manipulate or destroy backups to amplify pressure during negotiations. credential acce…”
T1486Data Encrypted for Impact
62%
“, payment magnitude continues to correlate most strongly with incident impact, particularly the loss of critical systems, ineffective backups, and prolonged recovery timelines, further undermining the economic assumptions behind traditional big - game hunting strategies. payment …”
T1486Data Encrypted for Impact
60%
“rebuilds, and system reinstalls erase telemetry. the data reflects a growing gap between observed impact and real - world disruption, not diminished operational damage, as attackers continue to manipulate or destroy backups to amplify pressure during negotiations. credential acce…”
T1190Exploit Public-Facing Application
60%
“zero - day downstream campaigns are losing their efficacy, it is interesting to note that the top two variants in q4 ( who have held that spot for several quarters now ) both employ encryption as the primary impact driver. both exfiltrate data as well, but encryption is the prima…”
T1486Data Encrypted for Impact
56%
“- sized organizations, highlighting attackers ’ continued preference for targets with limited security resources and high operational exposure. companies with 11 to 100 employees accounted for the largest share of attacks at 38 %, followed closely by organizations with 101 to 1, …”
T1078.004Cloud Accounts
50%
“or inheriting access through workflows designed for legitimate use. most compromises succeeded not because systems were unpatched, but because configuration debt persisted : stale credentials, legacy local accounts after migrations, and insufficient visibility into cloud identity…”
T1486Data Encrypted for Impact
48%
“why zero - day downstream mass data extortion campaigns are losing their bite table of contentsdata theft campaignspayment ratestypes of ransomwareattack vectorsttpsvictimology q4 of 2025 was marked by the latest large - scale data theft campaign by the cl0p ransomware gang, this…”
T1486Data Encrypted for Impact
44%
“visibility of these incidents, extortion payments remained the exception rather than the rule. most victims received cogent advice from skilled lawyers and incident responders, and opted not to even engage the threat actors. the ransom notes were tossed in the waste bin after a r…”
T1486Data Encrypted for Impact
42%
“ta0008 ] lateral movement remained one of the most consistently observed tactics in q4 2025, appearing in 65 % of cases and continuing to serve as the operational backbone of modern intrusions. the decline from q3 does not signal reduced adversary reliance, but more likely reflec…”
T1486Data Encrypted for Impact
42%
“than reduced attacker interest in data theft. defense evasion [ ta0005 ] defense evasion re - entered the top 5 in q4, observed in 43 % of cases, reflecting attacker prioritization of remaining undetected long enough to complete staging and exfiltration. techniques increasingly t…”
T1078Valid Accounts
41%
“while cl0p ’ s zero - day campaigns contributed to the rise, most exploitation activity was opportunistic, capitalizing on delayed patching, incomplete migrations, exposed management interfaces, and residual credentials. even fully patched environments were compromised when legac…”
T1048Exfiltration Over Alternative Protocol
39%
“ta0008 ] lateral movement remained one of the most consistently observed tactics in q4 2025, appearing in 65 % of cases and continuing to serve as the operational backbone of modern intrusions. the decline from q3 does not signal reduced adversary reliance, but more likely reflec…”
T1657Financial Theft
36%
“the cons side is getting crowded. over the past several years, organizations have matured significantly in their understanding of breach consequences. paying for data suppression does not eliminate legal or regulatory notification obligations. it does not meaningfully reduce the …”
T1657Financial Theft
35%
“for cyber criminals. during moveit, many victims were able to independently reconstruct what data had been accessed or exfiltrated, reducing their reliance on threat actors for visibility. in the cleo campaign, the data itself turned out to be of relatively low sensitivity, limit…”
T1078Valid Accounts
34%
“rebuilds, and system reinstalls erase telemetry. the data reflects a growing gap between observed impact and real - world disruption, not diminished operational damage, as attackers continue to manipulate or destroy backups to amplify pressure during negotiations. credential acce…”
T1657Financial Theft
34%
“visibility of these incidents, extortion payments remained the exception rather than the rule. most victims received cogent advice from skilled lawyers and incident responders, and opted not to even engage the threat actors. the ransom notes were tossed in the waste bin after a r…”
T1657Financial Theft
31%
“likely cl0p earned tens of millions of dollars from this single campaign. cl0p duplicated this success in march of 2023 by exploiting a vulnerability in goanywhere mft. during that incident it is likely 100 - 150 organizations were impacted, and close to 20 % of them ended up pay…”

Summary

Are we seeing the extinction of mass data exfiltration campaigns? The stats demonstrate these attacks are losing their efficacy.