For the past five years, the cybersecurity industry has been winning the ransomware war. Payment rates dropped from 41% in 2024 to just 23% by Q3 2025. Total ransom payments fell 35.82% year-over-year. Organizations got disciplined about backups: 72% now maintain air-gapped copies, 59% have immutable backups, and 57% recover through backups instead of paying.
By every metric the industry tracks, defenders were pulling ahead.
So attackers changed the game.
The Exfiltration Pivot
In 2025, ransomware extortion attacks hit 6,182, a 23% increase, while traditional encryption-only attacks flatlined at roughly 4,700. Data-only extortion incidents, attacks where no encryption occurs at all, surged 11x year-over-year. Groups like Hunters International have formally abandoned file encryption in favor of pure data theft operations.
The logic is straightforward. Encryption triggers endpoint detection. It requires deploying payloads across dozens or hundreds of systems. It creates obvious operational disruption that accelerates response. And increasingly, it doesn't work, because organizations just restore from backups.
Data exfiltration avoids all of those problems. Attackers use legitimate tools that already exist in the environment: PowerShell (25% of attacks), PsExec (22%), AnyDesk (13%), and Rclone (10%). These are the same tools IT teams use every day. No malicious payloads to detect. No behavioral anomalies to trigger alerts. Just data moving through normal channels to an external destination.
Then comes the extortion demand: pay up, or we publish your customer records, your financial data, your intellectual property. And your backups are completely irrelevant to this threat.
Why Backups Were Never the Real Answer
The industry treated declining ransomware payments as evidence that the problem was being solved. It wasn't. Attackers were gathering intelligence.
When victims stopped paying because they could restore from backups, attackers learned two things. First, the data inside those systems is valuable enough that organizations invest heavily in protecting their access to it. Second, the data itself, not access to it, is the real leverage.
This is a critical distinction. Encryption attacks threaten access to your data. Exfiltration attacks threaten exposure of your data. Backups solve the first problem. They're useless against the second.
Consider the math from a victim's perspective. You get hit with a ransomware attack. Your systems are encrypted, but you have good backups. You restore operations in 48 hours. Painful, but manageable.
Now consider the same scenario without encryption. Your systems are running fine. No disruption. But the attacker has a copy of every customer record, every financial document, every piece of intellectual property you have. They threaten to publish it all unless you pay.
Your backups don't help here. Your incident response playbook, built around "detect, contain, restore," doesn't address this. You're facing regulatory notification requirements, class-action exposure, reputational damage, and competitive intelligence loss. The average breach cost in the US hit $10.22 million in 2025, and data exfiltration incidents drive some of the highest costs because of downstream regulatory and legal consequences.
The 19% payment rate for exfiltration-only attacks might look low, but the attack volume is growing so fast that the total payout is increasing. Attackers don't need a high conversion rate when they can hit thousands of targets with minimal operational risk.
The Detection Problem Nobody's Solving
Here's what makes exfiltration-only attacks particularly insidious: they're designed to be invisible.
Traditional ransomware had an unmistakable signal. Files get encrypted. Extensions change. Ransom notes appear. You know you've been hit. The incident response clock starts immediately.
Exfiltration attacks have no such signal. The first indication is usually the extortion email, which arrives after the data is already gone. By then, the attacker has had days, weeks, or sometimes months to methodically copy everything of value.
As I explored in Shadow AI and the Data Exfiltration Risk Enterprises Can't See, unauthorized data movement is already one of the hardest threats to detect. When that movement uses the same tools and protocols as legitimate operations, traditional security monitoring is effectively blind.
Data Loss Prevention (DLP) tools help at the margins, but they were designed to catch accidental data exposure or policy violations. A sophisticated attacker using encrypted channels and living-off-the-land tools can bypass most DLP implementations without triggering a single alert. The infostealer epidemic I wrote about in January demonstrates the same pattern: industrial-scale data theft operating below the detection threshold for months.
The Defense the Industry Is Missing
If you can't reliably prevent exfiltration, and you can't restore your way out of it, the remaining option is one that almost nobody in the ransomware conversation is discussing: make the stolen data worthless.
This is where data-centric security, specifically tokenization, fundamentally changes the equation.
I've been building toward this argument in my work at Capital One Software on Databolt, and I explored the concept in detail when discussing the Fortinet SSO breach. The premise is simple: instead of trying to build walls high enough that nobody can get in (they can), or detecting every exfiltration attempt (you can't), you protect the data itself so that even successful theft produces nothing of value.
Field-level tokenization replaces sensitive values with format-preserving tokens at the individual field level. A Social Security number becomes a token that looks like a Social Security number but is cryptographically meaningless. A credit card number becomes a realistic-looking string that processes through your systems correctly but has no relationship to an actual card. Customer names, addresses, medical records: all tokenized, all functionally correct for internal operations, all worthless if stolen.
The attacker who exfiltrates your database gets exactly what they'd expect to find. The data looks right. The formats are correct. The volumes are appropriate. But every sensitive field is a token. The crown jewels they just stole are costume jewelry.
The Regulatory Safe Harbor Nobody Talks About
Here's the part of the tokenization story that should get every CISO's attention: regulatory safe harbors.
When ransomware encrypted data, organizations could restore and move on. The regulatory burden was manageable. But when data is exfiltrated, every affected record triggers notification requirements under HIPAA, GDPR, PCI-DSS, and an ever-expanding web of state privacy laws.
Except when the stolen data was already unintelligible.
HIPAA's Breach Notification Rule includes a safe harbor: if protected health information was "rendered unusable, unreadable, or indecipherable to unauthorized persons," notification is not required. GDPR has similar provisions under its risk-based approach. Many state breach notification laws exclude encrypted or tokenized data from their definition of a reportable breach.
This means tokenization doesn't just reduce the damage from exfiltration. It can eliminate the regulatory cascade entirely. No breach notifications. No mandatory consumer credit monitoring. No class-action standing based on exposed PII. The data was never exposed because it was never real.
Compare that to the typical post-exfiltration response: legal teams scrambling, PR teams drafting statements, compliance teams calculating notification requirements across 50 different state laws, and the executive team explaining to the board why customer data is now on a darknet leak site. Tokenization eliminates this entire chain of consequences.
Why This Isn't Happening Faster
If tokenization is such a clear answer, why aren't more organizations implementing it?
Three reasons.
First, most security organizations are structured around perimeter defense and incident response. Their budgets, their tools, their training, and their vendor relationships are oriented toward keeping attackers out and responding when they get in. Data-centric security requires a fundamentally different organizational posture: accepting that breaches will happen and optimizing for what attackers find when they succeed. That's a hard cultural shift, even when the logic is obvious.
Second, legacy systems make tokenization complicated. You can't tokenize a database that 200 applications read from without ensuring every one of those applications can work with tokenized values. The engineering challenge isn't the tokenization itself; it's the integration. This is exactly the problem we're solving with Databolt: making data-centric protection practical at enterprise scale, where the reality is decades of legacy systems, complex data flows, and hundreds of consuming applications.
Third, the industry's attention is still focused on the wrong metrics. When payment rates drop, headlines declare victory. When a new ransomware group gets disrupted, it's treated as progress. But the underlying economics haven't changed. Data has value. Stealing data is getting easier. And the consequences of data exposure are getting more expensive every year.
What to Do About It
If you're a security leader watching the exfiltration trend accelerate, here's where to start.
Inventory your crown jewels. What data, if published tomorrow on a darknet leak site, would cause the most damage? Customer PII, financial records, health data, intellectual property. That's your tokenization priority list.
Assess your detection gaps. Run a tabletop exercise where the scenario is pure exfiltration, not encryption. No ransomware payload, no locked files, no ransom note. Just data leaving your network through legitimate tools. How long before you detect it? If the answer is "we wouldn't," you've identified your most urgent security gap.
Evaluate data-centric protection. Tokenization, format-preserving encryption, data masking: these aren't competing approaches. They're complementary layers that serve different use cases. Start with the highest-value, highest-regulation data stores and work outward.
Plan for the exfiltration scenario. Most incident response plans are built around the encryption playbook: contain, eradicate, restore. Add an exfiltration-specific runbook that covers credential rotation, key revocation, regulatory notification triggers, and, critically, how to determine whether stolen data was tokenized (which changes the entire response calculus).
Stop celebrating payment declines. Declining payments aren't evidence that ransomware is being defeated. They're evidence that the attack model is evolving. The organizations treating this as a win are the ones who will be most surprised when exfiltration-only attacks hit them.
The Next Phase of Defense
The cybersecurity industry has been through this cycle before. We built firewalls, and attackers found ways around them. We built detection systems, and attackers learned to evade them. We built backup systems, and attackers stopped encrypting. Each defense solved yesterday's problem and created the conditions for tomorrow's attack.
The exfiltration pivot represents another turn of this cycle. But data-centric security has a property that previous defenses lacked: it doesn't depend on keeping attackers out. It works precisely because it assumes they'll get in.
When I wrote about PromptLock and AI-native ransomware in January, I noted that AI is lowering the barrier for ransomware development. That trend will accelerate. Attacks will get more frequent, more automated, and harder to detect. The organizations that will weather this escalation aren't the ones with the tallest walls. They're the ones whose data is worthless when stolen.
Backups were the right answer to the encryption problem. Tokenization is the right answer to the exfiltration problem. The question is whether the industry will make the shift before the next wave of attacks forces it.
