The year 2025 will be remembered as a deeply paradoxical period in the annals of cybercrime, a time when the ransomware threat metastasized from a persistent corporate headache into a strategic challenge jeopardizing national security, economic stability, and public safety on a global scale. This landscape was defined by a stark contradiction: while the frequency and sheer volume of attacks surged to unprecedented levels, the financial returns for criminal syndicates plummeted as a growing number of victim organizations courageously refused to pay ransoms. This profound economic crisis triggered a fundamental restructuring of the ransomware ecosystem, leading to widespread fragmentation, the chaotic emergence of dozens of new threat actor groups, and a dangerous escalation in extortion tactics aimed at causing maximum operational and psychological disruption, particularly within the world’s most critical infrastructure sectors.
The Central Paradox: Skyrocketing Attacks Meet Plummeting Payments
The Unprecedented Surge in Attack Volume
The defining narrative of the year was the dramatic disconnect between the relentless frequency of ransomware incidents and the diminishing financial success for the perpetrators behind them. The sheer volume of attacks served as a sobering reminder of ransomware’s persistent and accelerating nature. Between January and September alone, an astonishing 4,701 confirmed ransomware incidents were documented worldwide, a figure representing a significant increase of between 34% and 50% compared to the same period in the previous year. This alarming trend continued its upward trajectory throughout the year, with the cumulative total of cases exposed on dark web leak sites reaching 6,330 by October, a staggering 47% surge from the 4,293 cases recorded in the equivalent timeframe of 2024. The intensity of this onslaught reached a fever pitch where, by the third quarter, an organization somewhere in the world was falling victim to a ransomware attack approximately every 19 seconds. October set a near-record with 623 documented incidents, marking the sixth consecutive monthly increase in malicious activity and underscoring the industrial scale at which these criminal operations were functioning.
Geographically, the wave of attacks remained heavily concentrated in economically developed nations, a strategic choice by threat actors targeting organizations with the perceived capacity to pay substantial ransoms. The United States bore the brunt of this activity, accounting for roughly 1,000 incidents, or about 21% of the global total, as its vast and digitized economy presented a target-rich environment. Canada followed with 361 documented attacks, trailed closely by the major European economies of Germany, the United Kingdom, and Italy. In a notable shift, Australia emerged as a top-five target, experiencing a dramatic 67% increase in attacks. Cybercriminals were increasingly drawn to its resource-rich economy and high per-capita GDP, viewing Australian enterprises as both lucrative and potentially vulnerable targets. This geographic focus highlighted the calculated, business-like approach of modern ransomware gangs, who meticulously selected their victims based on economic profiles and the potential for a high return on their criminal investment, even as that return was becoming increasingly uncertain.
The Collapse of the Ransomware Business Model
Beneath the surface of these alarming attack statistics, the foundational business model of ransomware faced an existential threat. Ransom payment rates collapsed to historic lows, signaling a monumental shift in how organizations responded to extortion. In the third quarter of 2025, only 23% of victims opted to pay a ransom, a figure that plummeted to a mere 19% for incidents that involved data theft without the deployment of file-encrypting malware. This trend was not an anomaly but the continuation of a steady decline. By the end of 2024, incident response firm Coveware had already reported an all-time low payment rate of 25%, a clear indication that a supermajority—three out of every four targeted organizations—were successfully restoring their operations through other means, thereby refusing to fund the criminal enterprises that had victimized them. This widespread refusal to pay struck at the very heart of the ransomware economy, creating a crisis of profitability for attackers who had long relied on compliance as their primary source of revenue.
This decisive decline in payment rates was not a matter of chance but was driven by a powerful convergence of defensive trends and strategic shifts within the victim population. Firstly, organizations demonstrated significantly enhanced resilience, largely through improved backup and recovery capabilities. Robust, isolated, and frequently tested backup systems reduced their dependency on attackers for decryption keys, making recovery a viable and often faster alternative to negotiation. Secondly, there was a growing awareness and acceptance that paying a ransom offered no guarantee of a positive outcome. Stories of criminals failing to provide working decryptors, leaking stolen data anyway, or returning for a second attack became commonplace, making the strategic value of non-payment clearer. Finally, a general strengthening of security postures, including more effective endpoint detection, faster network segmentation, and more sophisticated incident response plans, allowed organizations to detect, contain, and respond to attacks more quickly, mitigating their overall impact and making recovery without payment a more attainable goal for a larger number of victims.
Drivers of Non-Payment and the Financial Aftermath
The financial consequences for cybercriminals were stark and immediate. Despite the unprecedented surge in the volume of attacks, total global ransomware revenues experienced a precipitous fall of over one-third, dropping from an estimated $1.1 billion in 2023 to approximately $813.6 million in 2024, with trends indicating a continued decline throughout 2025. The average ransom payment plummeted by a staggering 66% in the third quarter of 2025, settling at $376,941. Similarly, the median payment, a more accurate reflection of a typical demand, fell by 65% to just $140,000. This dramatic downturn represented a fundamental market correction, demonstrating that the defensive efforts of potential victims were having a tangible and devastating effect on the profitability of the ransomware industry. The economic engine that had powered the ransomware boom for years was finally beginning to sputter, forcing a painful reckoning among criminal groups.
Yet, in a paradoxical twist, for the minority of organizations that did comply with criminal demands, the financial toll was higher than ever before. The average ransom payment for those who paid surged by an astonishing 500%, climbing from around $400,000 in 2023 to an average of $2.0 million in 2024. This dramatic increase was driven by a strategic pivot among the most sophisticated ransomware groups toward “big game hunting,” a tactic where attackers concentrate their efforts on large, high-revenue enterprises capable of sustaining massive financial losses. This focus on quality over quantity was evident in the demands themselves, with 63% of all ransom demands in 2024 exceeding $1 million. This high-stakes environment even produced a record-breaking payment of $75 million from a single victim, illustrating that while the overall ransomware economy was shrinking, the financial risk for large, unprepared organizations had never been greater.
A Fractured Ecosystem: The Proliferation of New Threats
Decentralization and the Rise of Smaller Groups
The immense economic pressure, combined with sustained and increasingly effective international law enforcement disruptions against major operations like LockBit and ALPHV/BlackCat, triggered a profound structural transformation of the ransomware ecosystem. The landscape, once dominated by a handful of powerful syndicates, became dramatically fragmented and decentralized. In the place of these monolithic players, a chaotic swarm of smaller, more agile, and often more unpredictable groups emerged to fill the void. Throughout 2025, an incredible 45 newly observed ransomware groups appeared on the scene, pushing the total number of distinct active extortion operations to a record-breaking 85. This proliferation was mirrored in their infrastructure, with the number of active data leak sites soaring to 81 in the third quarter, a five-year high, as each new faction sought to establish its own brand of intimidation.
This rapid decentralization had the immediate effect of eroding the market share once held by the top-tier groups. In the first quarter of 2025, the ten most active groups were responsible for a commanding 71% of all postings on data leak sites; by the third quarter, their collective share had fallen to just 56%. This fragmentation presented a complex challenge for law enforcement agencies, which now had to track a multitude of smaller targets instead of focusing on a few kingpins. However, it also inadvertently undermined the perverse “credibility” of the ransomware industry. Victims became far less likely to pay ransoms to smaller, unproven groups that lacked an established reputation for providing working decryptors or honoring their promises, a factor that further contributed to the overall decline in payment rates and added to the economic woes of the criminal underworld.
The Enduring Ransomware-as-a-Service Model
Despite the widespread disruptions and economic turmoil, the Ransomware-as-a-Service (RaaS) model not only survived but continued to thrive, acting as a powerful catalyst for the ecosystem’s fragmentation. This model, in which ransomware developers lease their malicious tools and infrastructure to affiliates in exchange for a percentage of the profits, proved to be remarkably resilient. It effectively lowered the barrier to entry into the world of cyber extortion, enabling a wider and more diverse range of less technically skilled criminals to launch sophisticated, high-impact attacks that would have otherwise been beyond their capabilities. RaaS platforms provided a turnkey solution for aspiring cybercriminals, complete with customizable malware, negotiation portals, and data leak sites, democratizing the tools of digital extortion.
The business mechanics of the RaaS model were a primary driver behind the surge in attack volume and the diversification of the threat landscape. Developers of ransomware strains like Qilin, DragonForce, and the relaunched LockBit 5.0 actively recruited affiliates, offering them advanced malicious toolkits in exchange for a 20-30% share of any successful ransom payments. This created a highly competitive and dynamic affiliate market, where freelance hackers could shop for the most effective malware and the most favorable profit-sharing terms. This symbiotic relationship fueled a constant cycle of innovation on the development side and a relentless wave of attacks from the affiliate side, ensuring that even as major brands were dismantled by law enforcement, the underlying operational model that powered the ransomware threat remained firmly intact and ready to fuel the next wave of criminal activity.
The Shifting Tactics of a Modern Adversary
Advanced Infiltration and Evasion Techniques
In response to hardening defenses, threat actors in 2025 refined their infiltration and evasion techniques to bypass modern security controls and maximize their impact. Phishing remained the dominant initial access vector, accounting for as many as 67% of successful breaches, but its execution evolved significantly. Attackers increasingly leveraged artificial intelligence to craft more convincing, context-aware, and personalized phishing lures, moving beyond generic templates to messages that expertly mimicked legitimate business communications. AI was also used to automate vulnerability scanning on a massive scale and even to generate custom ransom notes, making human error an even more critical and frequently exploited vulnerability within organizational defenses. This automation allowed criminal groups to execute campaigns with greater speed, scale, and sophistication than ever before.
Alongside enhanced social engineering, ransomware groups demonstrated an aggressive and opportunistic approach to vulnerability exploitation. They weaponized newly disclosed software flaws with alarming speed, often developing and deploying exploits within hours or days of a vulnerability’s public announcement. Critical flaws in widely deployed enterprise technologies, such as Fortinet firewalls, Oracle E-Business Suite, and various managed file transfer (MFT) solutions, became primary gateways for initial access. The most advanced groups, like Cl0p and Play, took this a step further, demonstrating the capability to discover and exploit zero-day vulnerabilities—flaws unknown to the vendor or the public. This represented the pinnacle of offensive capability, allowing these elite groups to bypass even fully patched systems and underscoring the immense challenge defenders faced in staying ahead of a constantly innovating adversary.
Abuse of Legitimate Tools and Infrastructure Targeting
A defining trend of the year was the widespread abuse of legitimate software, a technique known as “Living-Off-The-Land” (LOTL). Rather than relying solely on custom malware that could be flagged by security solutions, attackers increasingly co-opted legitimate remote access and management (RMM) tools like AnyDesk, TeamViewer, and Pulseway. After gaining an initial foothold through other means, attackers would deploy these trusted and often whitelisted applications to establish persistent access, move laterally across the network, disable security software, and ultimately deliver their final ransomware payloads. By hiding their activities within the noise of normal administrative traffic, they could operate with a high degree of stealth, evading detection by traditional security tools for extended periods and making attribution significantly more difficult for incident responders.
Recognizing that organizations’ most critical data is increasingly concentrated in virtualized and cloud environments, attackers significantly expanded their targeting of this modern infrastructure. VMware ESXi, a dominant hypervisor in enterprise data centers, became a prime target for groups like BlackSuit and Scattered Spider. By encrypting the hypervisor itself, attackers could simultaneously disable hundreds of virtual machines with a single stroke, causing catastrophic and widespread operational disruption that went far beyond simple data loss. Similarly, threat actors adapted their tactics for the cloud, targeting cloud databases like Snowflake and exploiting common misconfigurations in platforms like Amazon Web Services (AWS) to exfiltrate massive datasets quietly before initiating their extortion demands. This strategic shift demonstrated a keen understanding of modern IT architecture and a clear intent to inflict maximum possible damage to increase the pressure on victims to pay.
The Human Cost: Critical Infrastructure Under Siege
A Strategic Shift Towards Disruption
Perhaps the most concerning trend of 2025 was the deliberate and systematic targeting of critical infrastructure sectors by ransomware gangs. Between January and September, a staggering 2,332 incidents—representing a full 50% of all global ransomware attacks—were aimed at these vital services. The manufacturing sector witnessed the sharpest increase, with attacks surging by an alarming 61% as criminals sought to disrupt complex supply chains. Other essential sectors, including healthcare, energy, transportation, and financial services, also faced relentless and highly disruptive campaigns. This focus was not accidental but highly strategic, as attackers recognized that these sectors are uniquely vulnerable to downtime and face immense public and regulatory pressure to restore services as quickly as possible, theoretically making them more likely to pay ransoms to avoid prolonged outages.
This strategic pivot marked a significant evolution in the core purpose of ransomware. It moved beyond a simple data security issue, focused on the theft and encryption of information, to become a potent weapon of operational disruption. Attackers began to leverage the threat of downtime and the risk to public safety as their primary extortion tools. By crippling hospital operations, shutting down manufacturing plants, or disrupting transportation networks, they created crises that had immediate and tangible real-world consequences. The extortion was no longer just about recovering data; it was about restoring the fundamental ability of an organization to function and serve the public, a form of leverage that proved to be both powerful and, in some cases, deadly.
Healthcare at the Epicenter
The healthcare sector endured a particularly brutal onslaught, with attackers ruthlessly exploiting its unique vulnerabilities: the extreme sensitivity of patient data, the absolute necessity for operational continuity to preserve life, and the reality of often-underfunded IT security budgets. While the number of direct attacks on healthcare providers remained relatively stable, attacks on adjacent healthcare businesses—such as billing services, diagnostic labs, and pharmaceutical companies—rose by 30%. This tactic demonstrated a sophisticated understanding of the sector’s interconnected nature, as criminals targeted the broader supply chain to maximize their reach and create cascading points of failure throughout the system. The real-world consequences of this strategy were devastating, culminating in two landmark incidents that laid bare the human cost of ransomware.
The February 2024 attack on Change Healthcare, orchestrated by the ALPHV/BlackCat group, stands as the most consequential cyberattack in the history of the U.S. healthcare system. Attackers gained their initial foothold by exploiting a shocking lack of basic security hygiene: a critical server that handled connections to thousands of healthcare partners lacked multi-factor authentication. After exfiltrating an estimated 6 terabytes of sensitive data from a company that processes one in every three U.S. patient records, the group deployed ransomware, crippling healthcare payments and prescription processing nationwide for weeks. UnitedHealth Group, Change Healthcare’s parent company, ultimately paid a $22 million ransom. The situation then devolved into chaos when the affiliate who conducted the attack was allegedly cheated out of their share by the ALPHV operators and later joined the RansomHub group to extort the company for a second time. The breach ultimately impacted an estimated 192.7 million people and cost UnitedHealth Group over $1.5 billion, all while causing severe financial distress for medical practices across the country.
If the Change Healthcare incident demonstrated the economic devastation of ransomware, the June 2024 attack on Synnovis, a major UK pathology service provider, highlighted its direct threat to human life. The attack, carried out by the prolific Qilin group, forced the cancellation of over 800 planned operations and 700 outpatient appointments across major London hospitals as critical blood testing and diagnostic services were brought to a standstill. When its audacious $50 million ransom demand was refused, the group retaliated by leaking nearly 400GB of highly sensitive patient data onto the dark web. The most tragic outcome of this event came in June 2025, when an official investigation confirmed that the disruption and delays to blood test results caused by the cyberattack were a direct contributory factor in the death of a patient. This marked one of the first publicly confirmed instances where a ransomware attack was directly linked to a loss of life, transforming a theoretical risk into a grim reality.
An Inflection Point for Ransomware
The year 2025 was a watershed moment for the ransomware landscape, a period that confirmed its maturation into a multifaceted strategic threat capable of disrupting essential services, destabilizing entire industries, and directly endangering human lives. The advanced technical sophistication of groups like Qilin and Cl0p, the remarkable resilience of established operations like LockBit, and the innovative social engineering of actors such as Scattered Spider showed an adversary that was constantly adapting and evolving its tactics. The systematic targeting of critical infrastructure moved these attacks from the realm of corporate finance into the arena of public safety and national security.
Yet, this dark chapter also offered a powerful and undeniable message of hope. The dramatic collapse in ransom payment rates proved that the ransomware business model, once thought to be invincible, has a critical weakness. A combination of improved organizational resilience, proactive security measures, and a principled, widespread refusal to fund criminal enterprises began to break the vicious economic cycle that had fueled these attacks for years. The significant decline in overall ransomware revenue, occurring despite record attack volumes, signified that defensive investments and strategic non-payment decisions were having a material and measurable impact on attackers’ profitability, forcing a chaotic fragmentation of their ecosystem. This period demonstrated that while the threat had become more severe than ever, the collective will to fight back was finally beginning to turn the tide.
