Victims Are Rebuffing Ransomware Mass Data Theft Campaigns

The Clop digital extortion gang for years perfected a method for wringing tens of millions out of cybercrime. Find a zero-day flaw, often in file transfer software, swarm vulnerable networks and post online the sensitive data of any victim unwilling to pay for a promise of data deletion.

See Also: AI Pushes Cyberattacks to New Speed Levels

The Russian-speaking ransomware group pioneered the tactic. One 2023 campaign may have netted it as much as $100 million (see: Data Breach Toll Tied to Clop Group’s MOVEit Attack Surges).

But the tactic of “zero-day downstream mass data extortion campaigns” is losing its ability to terrorize corporations into paying protection money to cybercriminals, finds ransomware incident response group Coveware.

By the time that Clop, which researchers also track as Cl0p, Ta505, Fin11 and Graceful Spider, unleashed in 2024 campaigns against Cleo Communications’ Harmony, VLTrader and LexiCom MFT software in late 2024 and Oracle E-Business Suite in August 2025, victims appear to have stopped paying the gang.

Coveware data only extends to its customers and so doesn’t encompass every victim, but the trend does seem clear.

Copycat campaigns also appear to be failing, including online gang extortion demands made after breaches of Snowflake customers’ data in 2024 and the repeat targeting of Salesforce customer data in 2025. Both of those campaigns have been tied to elements of The Com cybercrime community, responsible for such spinoff groups as ShinyHunters and Scattered Lapsus Shiny Hunters.

Coveware data suggests that as with Clop’s campaigns targeting Cleo and Oracle EBS, the Com-tied campaigns resulted in no victims – that it knows of – paying despite the attention hackers drew to their extortion demands.

The Com campaigns were prolific: In the Salesforce customer data-targeting attacks alone, the group amassed over 1,000 victims by targeting third-party software providers including Salesloft and Gainsight, after which it set up a dedicated data-leak site, which the FBI promptly disrupted.

Coveware attributes newfound willingness by victims to resist online extortion demands to a number of factors. In some cases, hackers simply didn’t steal sensitive data worth a payout. But Defenders have also gotten better at defending against these types of attacks, including ascertaining what data they got stolen, making rebuffing shakedowns easier to do.

The drop off in payments also comes despite invasive forms of pressure that go far beyond traditional countdown clocks and leak sites, often featuring attempts at emotional manipulation, media manipulation and threats of violence.

“Some of the harassment attacks include swatting, DDoS attacks, email flooding, SMS flooding and other forms of harassment, which are typical of Com groups,” says a new report from Allison Nixon, сhіеf rеѕеаrсh оffісеr аt threat intelligence firm Unіt 221В, who has herself been targeted by these groups.

Nixon said ShinyHunters and other Com spinoffs run scams in which they promise to delete stolen data if only a victim pays, but will never do so. If a victim does pay, that also gives the group further blackmail ammunition.

A similar trend is occurring for ransomware hackers. In the final quarter of last year, Coveware said the quantity of victims who paid a ransom fell to an all-time low of 20%. The firm did observe an increase in average and median ransom payments increase last year from the third to the fourth quarter, although that was largely due to “edge cases” involving “a small number of outsized settlements.” (see: Ransomware by the Numbers: Victim and Group Count Surges).