Ransomware trends, statistics and facts in 2025

Ransomware trends that continue in 2025

A few key ransomware trends that will likely continue in 2025 and beyond have emerged recently. Attackers, realizing that specific techniques yield better results, have focused on those approaches. Here are some of the primary trends for ransomware in recent years:

• Supply chain attacks. Instead of attacking a single victim, supply chain attacks extend the blast radius. One such example was an exploit in the Moveit Transfer product from Progress Software that led to large-scale ransomware attacks by the Clop ransomware gang. Over the last several years, multiple incidents have occurred, including the Kaseya attack, which affected at least 1,500 of its MSP customers, and the SolarWinds hack.
• Triple extortion. In the past, ransomware involved attackers encrypting information found on a system and then demanding a ransom in exchange for a decryption key. With double extortion, attackers also exfiltrate the data to a separate location. With triple extortion ransomware, attackers further threaten to leak data unless paid. Multiple threat actors have used triple extortion, including the Vice Society ransomware group that attacked the San Francisco Bay Area Rapid Transit system.
• Ransomware as a service (RaaS). Gone are the days when every attacker wrote their own ransomware code and ran a unique set of activities. RaaS is pay-for-use malware that provides attackers with the necessary ransomware code and operational infrastructure to launch and maintain a ransomware campaign.
• Attacking unpatched systems. This is not a new trend, but it continues to be an issue. While there are ransomware attacks that make use of novel zero-day vulnerabilities, most continue to abuse known vulnerabilities on unpatched systems.
• Phishing. While ransomware attacks can infect organizations in different ways, some form of phishing email was more often than not a root cause. With the rise of generative AI (GenAI), it has become easier for attackers to craft well-written phishing lures.

Ransomware statistics

The statistics listed below provide insight into the breadth and growing scale of ransomware threats:

• According to Verizon's "2024 Data Breach Investigations Report," released in May 2024, ransomware and data extortion accounted for 32% of reported attacks. No industry is immune to ransomware, with 92% of them identifying ransomware as a top threat.
• Ransomware affected 59% of organizations in 2024, according to Sophos' "State of Ransomware 2024" report.
• In 2024, Intel471 identified 101 different ransomware variants, including such colorful names as FSOCIETY, Funksec, GovRansomArtist, HellCat and Mad Liberator.
• According to analysis from Cyble, U.S. ransomware attacks increased by 149% year over year in the first five weeks of 2025, with 378 reported incidents compared to 152 in 2024.
• BlackFog also reported a surge in early 2025, with 92 disclosed incidents in January 2025 for a 21% year-over-year increase. The cybersecurity firm identified 32 different ransomware groups behind the attacks.

Ransomware statistics by industry

Ransomware can hit any individual or industry, and all verticals are at risk. That said, ransomware attacks have affected some verticals more than others and will continue to be an issue for years to come. The following are the top 13 ransomware targets by industry:

1. Education.
2. Construction and property.
3. Central and federal government.
4. Media, entertainment and leisure.
5. Local and state government.
6. Retail.
7. Energy and utilities infrastructure.
8. Distribution and transport.
9. Financial services.
10. Business, professional and legal services.
11. Healthcare.
12. Manufacturing and production.
13. IT, technology and telecoms.

Costs of ransomware attacks and payment trends

The costs attributed to ransomware incidents vary significantly, depending on the reporting source. Different points of view from both the private and public sectors provide some visibility into the cost and payment trends for ransomware attacks:

• While not every ransomware victim pays a ransom or incurs a cost, some do. According to research from blockchain analysis company Chainalysis, approximately $813.55 million was spent on ransomware payments in 2024.
• The Sophos "State of Ransomware 2024" report found the average ransom payment rose from $400,000 in 2023 to $2 million in 2024 -- an increase of 500%.
• In 2024, the average ransomware insurance claim increased by 68% to an average loss of $353,000, according to the "2024 Cyber Claims Report: Mid-year Update" from active insurance provider Coalition.

Recent ransomware attacks

In recent years, many ransomware attacks have affected organizations and their customers. The following are some of the notable attacks.

CDK Global. In June 2024, automotive technology provider CDK Global, which serves 15,000 dealerships, was forced to take most of its systems offline to contain a ransomware threat. The CDK Global ransomware attack caused significant disruptions for downstream customers, limiting the ability to buy and repair cars.

Change Healthcare. Arguably, 2024's most significant ransomware attack occurred in February with the Change Healthcare incident. The massive ransomware attack on the healthcare technology company affected more than 100 million individuals.

LoanDepot. In January 2024, the California-based mortgage lender experienced a ransomware attack that led to significant loan service disruptions affecting 16.6 million customers.

Boeing. In October 2023, aerospace giant Boeing was the victim of a cyberattack. The LockBit ransomware gang claimed credit for the incident.

MGM Resorts and Caesars Entertainment. In September 2023, two Las Vegas hotel and casino operators were struck by debilitating ransomware attacks that significantly affected their operations.

TSMC. In June 2023, Taiwan Semiconductor Manufacturing Company was allegedly breached by ransomware from the LockBit ransomware gang after a security incident at its partner Kinmax. The attackers demanded $70 million in ransom.

Moveit ransomware attacks. The most noteworthy ransomware incident in 2023 was the barrage of organizations that fell victim to the Moveit Transfer attacks from the Clop ransomware group. The Progress Software managed file transfer product flaw, tracked as CVE-2023-3462, was publicly detailed on May 31, 2023. Among its many victims were multiple U.S. government agencies, the BBC, British Airways, HR software provider Zellis and the government of Nova Scotia, Canada. Some analysts estimated that the Moveit attack was responsible for more than 600 breaches.

Dallas, Texas. The city was affected by a wide-ranging ransomware attack in May 2023.

Royal Mail. In January 2023, the British Royal Mail service was hit by the LockBit ransomware group and an $80 million ransom demand.

Ransomware predictions

Ransomware didn't start recently, won't end anytime soon and will likely continue to evolve. Here are some predictions on the direction ransomware will take in the years ahead.

• Attacks will be more targeted. Security vendor Zscaler's ThreatLabz research team predicted ransomware groups will shift from mass attacks to strategic, low-volume operations targeting high-value organizations.
• Increased data exfiltration attacks. Security vendor Trend Micro warned cybercriminals will increasingly employ data exfiltration attacks without necessarily encrypting files. This tactic aims to threaten victims with the public release of sensitive data, thus increasing pressure for ransom payments.
• GenAI could be a real problem. The rise of GenAI was a pervasive topic across the IT landscape in 2024. Attackers using GenAI in 2025 could lead to more advanced phishing campaigns and ransomware exploitation.

How to protect against ransomware attacks

Organizations and individuals can take steps to mitigate ransomware attacks, but there is no silver bullet that will solve or defend against ransomware. What's needed is a multilayered approach to improve IT security overall. The following six key steps safeguard assets against ransomware risks:

1. Implement a layered security strategy. Ransomware is just one of many risks that IT users face. Having multiple layers of defense is a key best practice.
2. Explore advanced protection technologies. Extended detection and response can help organizations identify potential risks leading to ransomware exploitation.
3. Inform employees of the risks of social engineering. Often, infections are caused by users clicking on something they shouldn't. Education and vigilance are essential.
4. Update software regularly. Ransomware code often targets known vulnerabilities, so updating software and firmware can eliminate a possible attack vector.
5. Conduct frequent backups of critical data. Ransomware targets data, and reliable backups can minimize the risk of losing it.
6. Consider tabletop exercises. Preparing for ransomware with a tabletop exercise can identify potential gaps and ensure the proper process is in place to mitigate and recover from a possible attack.

Editor's note: This article was updated in April 2025 to include new research data and to improve the reader experience.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.