Reading the headlines, you'd be forgiven for thinking that the vast majority of data breaches were ransomware and extortion-driven. Reading this story, you might be surprised to hear that ransomware is only the 4th most common cause of a breach, at 10.4%. I sought out the source study, which made things a bit more clear. Ransomware was the 4th most common root cause of a data breach.
The way I'm reading this is that an extortion case where the root cause is phishing, but employs ransomware at a later stage of the campaign, would be counted as "social engineering", not "ransomware" as the root cause.
Though some of this is a bit foggy to me, the report has some good insights, like a good breakdown of the key mistakes and oversights companies can correct to prevent data breaches.
Note that the scope of this report was "100 of the largest and well-known data breaches to date". It's unclear if all these events happened in the past 5 years, or go back 20 years or more, which I would think would dull the value of the report. There's no methodology listed for the report.