ECHO Findings: Data Exfiltration and The Quiet Evolution of Ransomware 

This is part of our ongoing blog series breaking down the use cases in the 2025 2H CyOps ECHO report. Download the complete report here.

Ransomware has a new playbook, and it doesn’t involve locking you out of your own files. In 2025, Cynet’s CyOps threat intelligence and incident response teams investigated two attacks that, side by side, tell the story of a maturing criminal industry that’s become leaner, faster, and far harder to defend against using traditional playbooks. 

The first involved the Akira ransomware group targeting a real estate development company. The second saw the Inc ransomware group hit an airline. In both cases, what defenders found was not what they expected.

Case One: Akira Goes Silent 

When investigators arrived at the real estate firm, the immediate question was: where’s the ransomware note? Akira (typically known for its double-extortion campaigns) hadn’t deployed any encryption at all. Instead, the group had made a calculated pivot: steal the data, threaten to release it, and walk away without ever triggering the loud, disruptive event that would bring incident responders running. 

Akira Attack Sequence 

Unauthorized RDP access to two Hyper-V hosts- connection traced back to SonicWall SSL-VPN
connection, leveraging a compromised administrative developer account.

RDP connection by compromised account to Domain Controller

• FileZilla, a known FTP client used in data exfiltration to transfer files, is dropped on the system
• Creation of WinRAR, a file compression utility is used to package and compress data prior to exfiltration to evade detection
• Attempt on exfiltration

Threat actor RDP’s and deploys multiple files and created several unauthorized virtual machines on
the Hyper-V server, which also contains the domain controller host.

Later threat actor attempts to run PowerShell commands such as Ipconfig and ping to check on
activity of other machines, then unsuccessfully attempted to create suspicious files on the host in
C:\ProgramData, likely for persistence, blocked by deployed Cynet agent.

The attack is notable for what it means for attacker economics. Deploying ransomware is inherently risky. It’s loud, it’s detectable, and it invites immediate law enforcement attention. Data exfiltration, by contrast, can be completed quietly over hours. The leverage is the same: pay us, or your clients’ information goes public. The stakes are much lower for the cybercriminal who chooses the data exfiltration path and still has the upper hand in the ensuing negotiations. 

This is the logic of modern cybercrime. As defenders improve their ability to restore from backups, attackers simply remove the dependency on encryption. Your backup strategy, carefully maintained and tested, becomes strategically irrelevant the moment the attacker’s goal shifts from disruption to exfiltration. 

Case Two: Recovery Is Not Eviction 

The airline incident contains a lesson that no security team wants to hear: restoring from backup does not mean the attacker is gone. When the airline initially contacted CyOps for incident response support, they had already restored their affected machines. From an operational standpoint, the crisis appeared to be over. Cynet agents were deployed for monitoring during the investigation. Within five days, the attacker was back. 

Inc Ransomware — Return Attack Sequence 

Organization experiences ransomware attack and restores affected machines from backup, then
reaching out to CyOps IR where agents were quickly deployed for monitoring during the investigation

• Identified anomalous outbound connection to suspicious IP marked as the first indication of initial access, also marking concerns around network integrity.

5 days later, threat actor returns in pre-ransomware activities.

• Threat actor attempts to initiate SSH connection to external IP via port 443 (SSH’s standard port is 22)
• Threat actor made multiple attempts to execute the Inc ransomware payload, both via SMB and through interactive RDP sessions. Cynet blocked encryption attempts.
• Threat actor attempts multiple times to configure the system to boot into safe mode with networking, but was detected and blocked.
• Threat actor also attempts to disable Cynet agent, detected and blocked by anti-tampering mechanisms
• Threat actor pivots to another host and attempts again to create a ransomware not on a shared folder remotely over SMB connection, also later attempting to disable Cynet agent on this host. Cynet blocked these additional attempts.

A month later, via a Citrix remote session, (unknown) threat actor is detected and fails at attempting enumeration of “Domain Admins” group on host and Active Directory enumeration attempts. Organization continues to work through recommendations for environmental and identity hardening.

The airline case exposes a critical misunderstanding baked into many incident response plans: the assumption that restoration equals resolution. It doesn’t. Until the initial access vector is identified and closed, the attacker retains the ability to re-enter. In the case of critical industries, attackers know they have leverage because disruption is especially painful. 

Key Takeaways 

When attackers shift from encryption to pure data theft, backup strategies lose their value. And when recovery doesn’t include threat actor eviction, the door is still open. With AI-powered attacks and more vulnerabilities to exploit in environments more dependent on SaaS and cloud infrastructure, perseverant cybercriminals will try, try again. Effective defense in 2026 requires distinguishing between operational recovery and security resolution. MDR capabilities are not optional safeguards for high-profile organizations; they are often the difference between temporarily disrupting an attacker and permanently removing them from the environment.