49% of Ransomware Victims Lose Data Before Detecting the Attack

Ransomware has always been a painful problem, but a new report reveals just how badly detection is failing: nearly half of all ransomware victims had their data stolen before they even realized an attacker was inside their network. That figure has jumped sharply from 31% the previous year, signaling that hackers are not just getting bolder but considerably more patient and stealthy.

The average dwell time before detection now sits at roughly 2.5 weeks. That is 17 or more days during which an attacker can quietly map your systems, identify your most valuable files, and move them out the door, all before a single alert fires.

The Real Threat Is Exfiltration, Not Just Encryption

Most people picture ransomware as a dramatic event: files lock up, a ransom note appears, operations grind to a halt. That image is increasingly outdated. Modern ransomware groups have shifted to a two-stage strategy. First, they steal data. Then, if and when they deploy encryption, they hold two separate threats over their victims: pay to restore access, and pay again to prevent the stolen data from being published.

This approach, often called double extortion, changes the calculus entirely. Even organizations with solid backup systems that could restore encrypted files quickly still face exposure of sensitive customer records, financial documents, or intellectual property. The encryption is almost secondary at that point.

Data theft remaining a consistent feature of extortion activity across more than half of cases year over year confirms this is not a passing trend. It is now the default playbook.

Why Detection Is Falling Further Behind

The growing gap between intrusion and detection points to a few converging problems.

First, attackers are increasingly using legitimate tools that already exist within a target's environment. Security software is designed to flag unfamiliar malware signatures, but when an attacker uses built-in system utilities to move files, those actions often look indistinguishable from normal administrator behavior.

Second, many organizations still rely heavily on perimeter defenses. Firewalls and encrypted tunnels protect data in transit, but once an attacker has valid credentials or has established a foothold inside the network, perimeter tools offer little visibility into what is happening laterally.

Third, alert fatigue is a real and well-documented problem in security operations centers. When detection systems generate thousands of low-fidelity alerts per day, genuine intrusion signals get buried. Attackers know this and time their activity to blend into noisy periods.

This is also why relying on a single tool, including a VPN, creates a false sense of security. A VPN encrypts traffic between your device and the internet, which protects data in transit and masks your IP address. But it does nothing to detect or block malware that is already running on a compromised machine, and it offers no visibility into attacker behavior once credentials have been stolen. The youX data breach in Australia, where attackers accessed sensitive identity data at a fintech firm, illustrates how sophisticated intrusions can bypass surface-level protections and cause cascading real-world consequences.

What This Means For You

Whether you are an individual professional or part of an organization's IT team, the 2.5-week average dwell time should reframe how you think about security.

The question is no longer only "how do I keep attackers out?" It is equally "how quickly would I know if someone was already in, and what would they find?"

For individuals and small businesses, this means:

  • Assume credentials can be compromised. Use multi-factor authentication everywhere, especially on email, cloud storage, and any remote access tools. Stolen credentials are the most common entry point.
  • Limit what is accessible. Not every system or file share needs to be reachable from every device. Restricting access reduces what an attacker can reach after gaining initial entry.
  • Monitor for anomalies, not just known threats. Endpoint detection tools that flag unusual behavior, such as a user account suddenly accessing files it never touches, are more valuable than signature-based antivirus alone.
  • Have an incident response plan. Knowing exactly what steps to take in the first hour of a confirmed breach significantly limits damage. Many organizations discover they have no documented process until they need one badly.
  • Segment your backups. Backups stored on the same network as primary systems can be encrypted or deleted by attackers during their dwell period. Offline or immutable backups are a separate layer of protection.

VPNs remain a genuinely useful tool, particularly for securing traffic on untrusted networks and protecting privacy from passive surveillance. But their role is one layer among many, not a complete defense.

Building a Layered Defense Strategy

The most effective security posture treats detection as an equal priority to prevention. Prevention is never perfect, and the data confirms attackers are getting better at bypassing it. Organizations and individuals who invest only in keeping attackers out, while doing nothing to detect them once inside, are effectively blind during the window that matters most.

Layered defense means combining perimeter tools, endpoint monitoring, network traffic analysis, strict access controls, and user education. No single product closes all the gaps, which is why the security industry talks about defense in depth rather than any one silver bullet.

The sharp rise in pre-detection data theft is a clear signal that the threat environment has matured. Attackers are operating with more discipline and patience than ever. The appropriate response is to match that discipline with equally deliberate, layered defenses rather than reactive tool purchases after an incident occurs.

Start by auditing what sensitive data you hold, where it lives, and who can access it. That visibility alone puts you ahead of most targets.