top of page
Search

Ransomware Attacks in 2025: The War Continues

  • Terry Telford
  • May 12
  • 8 min read

 


green graphic depicting ransomware

The war between the white hats and the black hats continues to be dominated by AI technology that fuels ransomware attacks and social engineering. While the cybersecurity specialists are building defence mechanisms to fight the attacks, threat actors are increasing their ranks by making it easier to join the dark side. Ransomware as a service (Raas) makes it easy to join the dark side and exponentially increases the need for businesses to increase their cybersecurity.  


The real-world consequences of successful ransomware attacks have included the disruption of vital services like healthcare, energy, and even our access to basic necessities. It underscores the urgent need for comprehensive understanding and proactive mitigation. 


The financial implications of ransomware attacks have escalated dramatically. The focus has shifted from individual victims to the more lucrative and disruptive targeting of intricate supply chains, amplifying the potential for widespread chaos and significant financial losses.


This dark evolution is being countered by defensive maneuvers from both governmental bodies and cybersecurity vendors.  Your first defence against ransomware attacks is to equip yourself with the knowledge necessary to fortify your digital defenses against this ever-present threat. 


Key Ransomware Attack Trends in 2025 


Threat actors are relentless in their pursuit of attack vectors. Several key trends are predicted to continue throughout 2025: 


  • Supply Chain Attacks: Targeting interconnected networks remains a highly effective tactic. By breaching a single, often less-defended, entity within a supply chain, attackers can compromise a multitude of downstream organizations. Reviewing past attacks can help secure the future. Two notable attacks from the recent past include:   

    • MOVEit Transfer: This incident began in May 2023, and was not directly a ransomware attack in its initial stages. It involved the exploitation of a critical zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer software. The Clop ransomware group exploited this vulnerability to gain unauthorized access to MOVEit Transfer databases.  The primary aim of the initial attacks was data theft. The attackers deployed a web shell called LEMURLOOT to steal sensitive information from the compromised systems. Following the data theft, the Clop group then used the stolen data for extortion, threatening to leak it publicly if their demands were not met. This tactic aligns with the double extortion model often associated with ransomware groups.   While the initial compromise was through a vulnerability exploit leading to data theft, the involvement of the Clop ransomware group and their subsequent extortion tactics moves this indecent into the ransomware ecosystem. Therefore, while the initial breach wasn't the deployment of ransomware encrypting systems, it evolved into an extortion campaign by a known ransomware group using stolen data and blurring the lines.  

    • Kaseya: This cyberattack occurred on July 2, 2021 and was a significant supply chain ransomware attack that exploited vulnerabilities in Kaseya's VSA (Virtual System Administrator) software, a remote monitoring and management tool used by Managed Service Providers (MSPs). The attack leveraged a zero-day authentication bypass vulnerability within Kaseya VSA servers. This allowed the attackers to bypass authentication and execute commands via SQL injection.     The Russian-linked ransomware gang REvil (also known as Sodinokibi) exploited this access to deploy their ransomware payload. They pushed out the ransomware through what appeared to be a legitimate software update from Kaseya's VSA platform. Because MSPs use Kaseya VSA to manage the IT infrastructure of multiple downstream clients, the attack had a cascading effect.    It's estimated that the attack impacted around 60 of Kaseya's direct MSP customers, which in turn led to the encryption of data and disruption of operations for between 800 and 1,500 downstream businesses across 17 countries. This made it one of the largest supply chain ransomware attacks on record.    REvil demanded a staggering $70 million in cryptocurrency for a universal decryption key to unlock all affected systems. Individual victims were also asked to pay smaller ransoms.      The attackers targeted Kaseya because compromising their software allowed them to simultaneously reach a large number of their MSP clients and, subsequently, the clients of those MSPs. The Kaseya attack highlighted the severe risks associated with supply chain vulnerabilities and the potential for widespread disruption from a single point of compromise.  

  • The Rise of Triple Extortion: The initial ransomware attack model, involving data encryption and a demand for decryption keys, has evolved. Double extortion introduced data exfiltration, adding to the threat of public data leaks as. Now, triple extortion is gaining traction. This advanced tactic combines encryption, data theft, and additional pressure points, such as directly targeting the victim's customers or business associates. Triple extortion significantly increases the likelihood of ransom payments, making resilient backup and recovery strategies paramount. 

  • The Democratization of Cybercrime Through Ransomware as a Service (RaaS): The technical expertise required to launch a sophisticated ransomware attack has been significantly reduced by the rise of RaaS. This model provides aspiring cybercriminals with off-the-shelf ransomware code and the necessary infrastructure to execute campaigns, often on a subscription or profit-sharing basis. This accessibility has led to a proliferation of ransomware actors and a corresponding increase in the volume of ransomware attacks. Understanding the RaaS ecosystem is crucial for effective threat intelligence and proactive defense. 

  • The Persistent Danger of Unpatched Vulnerabilities: Despite the allure of zero-day exploits, a significant proportion of successful ransomware attacks continue to leverage well-known vulnerabilities in unpatched software and systems. This underscores a fundamental cybersecurity principle: the critical importance of diligent and timely patching. Attackers actively seek out and exploit systems with outdated software, making proactive patch management a cornerstone of any robust defense. 

  • The Enduring Effectiveness of Phishing: Despite advancements in security technologies, phishing remains a primary entry point for many ransomware attacks. The human element remains a significant vulnerability. The increasing sophistication of phishing emails, fueled by generative AI (GenAI), makes detection more challenging. Comprehensive employee training on social engineering tactics and the implementation of robust email security measures are vital to mitigating this persistent threat vector. 


Ransomware Statistics in Reported in 2025 for the Previous Year


The statistical landscape of ransomware attacks in 2025 paints a stark picture of an escalating and pervasive threat: 

  • According to Check Point, ransomware attacks surged by 126% in Q1 2025 compared to Q1 2024, with a total of 2,289 reported incidents.  

  • North America accounted for the majority (62%) of global ransomware attacks reported in Q1 2025. 

  • Halcyon reported the average ransom demand decreased by 22% year-over-year to $1.1 million.  

  • Consumer Goods & Services was the most targeted sector for ransomware attacks in Q1 2025, accounting for 13.2% of victims, says Check Point. 

  • Unit 42 reported that 86% of incident response cases in early 2025 involved business disruption, which includes operational downtime and reputational damage linked to events like ransomware.  


These statistics collectively underscore the growing and pervasive danger posed by ransomware attacks across all sectors. 


Top Industries Targeted by Ransomware 


While every sector faces the risk of a ransomware attack, certain industries have historically been more heavily targeted. Understanding these patterns allows organizations within these verticals to prioritize their security investments: 


  1. Central and Federal Government: Sophos' 2024 survey revealed that 68% of central government organizations experienced ransomware attacks, potentially linked to geopolitical tensions. This sector also faced the highest median ransom demand at $7.7 million. The 2022 attack on Costa Rica by the Conti gang, which crippled multiple federal agencies, serves as a stark example. 

  2. Healthcare: With its high-stakes operations and often widespread vulnerabilities, healthcare remains a prime target. In 2024, two in three healthcare organizations reported recent ransomware attacks. This sector also showed a high likelihood (57%) of paying more than the initial ransom demand.  

  3. Energy and Utilities Infrastructure: Maintaining a 67% attack rate between Sophos' 2023 and 2024 surveys, this sector is consistently targeted due to the potential for high-profile disruption. Exploited vulnerabilities were the cause of nearly half of these incidents. The Colonial Pipeline attack serves as a stark reminder of the severe consequences of ransomware attacks on critical infrastructure. 

  4. Higher Education: With a 66% attack rate, higher education institutions remain a significant target. This sector was also the most likely to pay higher ransom fees than initially demanded, possibly due to a commitment to data recovery and less access to negotiation expertise. The closure of Lincoln College in 2022, partly attributed to a ransomware attack, underscores the severe impact these attacks can have. 

  5. Financial Services: Experiencing a 65% attack rate, the financial services sector is a high-value target. Notably, this sector reported the lowest rates of data encryption and was most successful in negotiating lower ransom fees. Authorities have warned that a major ransomware attack on this industry could trigger a significant financial crisis. 

  6. Manufacturing and Production: This sector saw the largest year-over-year increase in attack rates in 2024, reaching 65%. While heavily targeted, manufacturers also saw the greatest reduction in ransom payments through negotiation. The attack on JBS USA, a major meat supplier, demonstrates the potential for significant operational disruption. 

  7. Lower Education: While the attack rate in lower education decreased to 63% in 2024, this sector still faces significant risks, including compromised backups and a tendency to pay higher ransom demands. The shutdown of the Chambersburg Area School District in Pennsylvania highlights the disruptive impact on students and families. 

  8. Media, Entertainment and Leisure: With a 62% attack rate, this sector shows a high rate of backup usage but is also very likely to pay ransoms to recover data. Attacks on companies like Macmillan Publishers, Cox Media Group, and Sinclair Broadcast Group have caused significant operational disruptions. 

  9. Construction and Property: Sixty-two percent of businesses in this sector reported recent ransomware attacks. While the median ransom demand was lower compared to other sectors, it still amounted to a considerable $1.1 million. 

  10. Distribution and Transport: Sixty percent of companies in this sector experienced ransomware attacks, with exploited vulnerabilities and phishing being common entry points. 


This detailed breakdown highlights the diverse range of industries under siege from ransomware attacks, reinforcing the need for robust and tailored cybersecurity strategies across all sectors. 


Costs and Payment Trends of Ransomware Attacks 


The financial repercussions extend far beyond the ransom payment itself, encompassing recovery expenses, reputational damage, and business interruption. Examining cost and payment trends reveals the significant economic burden: 

  • Chainalysis data indicates that approximately $813.55 million was paid in ransomware ransoms in 2024, highlighting the substantial financial incentives driving these attacks. 

  • The average ransom payment surged by 500% between 2023 and 2024, reaching a staggering $2 million, according to Sophos. This dramatic increase underscores the escalating demands of ransomware operators. 

  • Coalition's data shows a 68% increase in the average ransomware insurance claim in 2024, reaching $353,000, reflecting the growing overall costs associated with these incidents. 


Recent Notorious Ransomware Attacks 


Examining recent high-profile ransomware attacks provides critical context to the trends and statistics we've discussed: 

  • CDK Global (June 2024): The ransomware attack on this automotive technology provider disrupted services for 15,000 dealerships, impacting car sales and repairs. 

  • Change Healthcare (February 2024): This massive ransomware attack affected over 100 million individuals, causing widespread disruption across the U.S. healthcare system. 

  • LoanDepot (January 2024): A ransomware attack on this mortgage lender impacted 16.6 million customers, causing significant service disruptions. 

  • Boeing (October 2023): Aerospace giant Boeing was targeted by the LockBit ransomware gang. 

  • MGM Resorts and Caesars Entertainment (September 2023): These Las Vegas hotel and casino operators suffered debilitating ransomware attacks, severely impacting their operations. 

  • TSMC (June 2023): A security incident at a partner led to an alleged ransomware attack by the LockBit gang on this critical chip manufacturer, with a $70 million ransom demand. 

  • Dallas, Texas (May 2023): The city of Dallas fell victim to a broad ransomware attack. 

  • Royal Mail (January 2023): The British Royal Mail was targeted by the LockBit ransomware group with an $80 million ransom demand. 


The Future Landscape: Ransomware Predictions 


The battlefield is in a constant state of flux. Experts predict several key trends will shape its future: 

  • Increased Focus on Targeted Attacks: A shift from broad, indiscriminate attacks to more focused campaigns targeting high-value organizations. 

  • Greater Emphasis on Data Exfiltration Without Encryption: The threat of data leaks alone will become a more prominent extortion tactic. 

  • The Growing Influence of AI: Generative AI is expected to be leveraged to create more sophisticated phishing attacks and potentially more evasive ransomware. 


Strengthening Your Defenses Against Ransomware Attacks 


Proactive and layered security measures are essential to mitigate the risk of a ransomware attack

  1. Implement a Multi-Layered Security Approach: Employ a combination of security controls to create a robust defense-in-depth strategy. 

  2. Leverage Advanced Threat Detection: Explore Extended Detection and Response (XDR) solutions for enhanced visibility and faster response to potential threats. 

  3. Prioritize Security Awareness Training: Educate employees about the risks of social engineering and phishing. 

  4. Maintain Rigorous Patch Management: Ensure all software and systems are updated promptly to address known vulnerabilities. 

  5. Implement a Robust Backup and Recovery Plan: Regularly back up critical data offline to facilitate recovery without paying a ransom. 

  6. Conduct Tabletop Exercises: Simulate ransomware attack scenarios to test and refine your incident response plan. 


Navigating the Persistent Threat of Ransomware Attacks 


Ransomware attacks remain a significant and evolving threat in 2025. By understanding the current trends, heeding the statistical warnings, and learning from past incidents, organizations can take proactive steps to bolster their defenses. A comprehensive strategy encompassing advanced security technologies, well-informed employees, and a robust incident response plan is crucial for navigating this challenging cybersecurity landscape. Vigilance and continuous adaptation are key to mitigating the persistent risks posed by ransomware attacks. 


 

bottom of page