Ransomware attacks are getting smarter, harder to stop

Ransomware attacks are becoming more refined and pervasive, posing significant challenges to organizations globally. A Veeam report reveals that while the percentage of companies impacted by ransomware attacks has slightly declined from 75% to 69%, the threat remains substantial.

This decrease is attributed to improved preparation and resilience practices, as well as increased collaboration between IT and security teams. However, as ransomware attacks from both established groups and “lone wolf” actors proliferate, organizations must adopt proactive cyber resilience strategies to mitigate risks and recover more swiftly and effectively from incidents.

“Organizations are improving their defenses against cyber-attacks, yet 7 out of 10 still experienced an attack in the past year. And of those attacked, only 10% recovered more than 90% of their data, while 57% recovered less than 50%. Our latest findings clearly indicate that the threat of ransomware will continue to challenge organizations throughout 2025 and beyond,” said Anand Eswaran, CEO of Veeam.

Data exfiltration attacks grow

In 2024, coordinated efforts by law enforcement agencies led to significant disruptions in major ransomware groups, such as LockBit and BlackCat. However, the rise of smaller groups and independent attackers has increased, necessitating ongoing vigilance.

The report notes a troubling trend toward exfiltration-only attacks – when cybercriminals break into an organization’s network but do not encrypt or lock the data. Instead, they focus on stealing sensitive information—like personal data, financial records, or intellectual property—and transferring it outside the organization.

Along with this shift toward data exfiltration — as well as toward double extortion that combines both encryption to restrict access and publication of sensitive exfiltrated data — there has also been a reduction in dwell time, the time between compromise and launching the attack, with many attacks occurring in just a matter of hours.

Organizations with weak cybersecurity measures are particularly vulnerable, as threat actors exploit vulnerabilities, often within hours.

Ransomware payments are decreasing

The total value of ransomware payments fell in 2024, with 36% of affected organizations opting not to pay a ransom. Of those that did pay, 82% paid less than the initial ransom and 60% paid less than half that sum, emphasizing the importance of robust recovery strategies.

Victims are increasingly hesitant to pay ransoms because they can’t trust attackers to release their data. Organizations have also proactively improved their own incident response plans, including through the use of immutable backups.

New regulations and legal frameworks are discouraging ransom payments, with initiatives like the International Counter Ransomware Initiative urging organizations to strengthen their defenses rather than capitulate to attackers.

Enhanced communication between IT operations and security teams, along with partnerships with law enforcement and industry players, has proven vital in fortifying defenses against ransomware.

While organizations are allocating more resources to security and recovery efforts, there remains a significant gap in investment relative to the growing threat landscape.

Overall, organizations tend to devote slightly more resources to security (31% of IT budget on average) rather than recovery (28% on average), which suggests a potential vulnerability in building up proactive resilience.

Backup recovery builds resilience

Organizations that prioritize data resilience can recover from attacks up to seven times faster and experience significantly lower data loss rates. These successful organizations share several common attributes, including backup and recovery strategies, proactive security measures, and incident response plans. The report highlights the shift from reactive security to proactive cyber resilience strategies to address the challenges of ransomware.

Findings from the report also encouraged organizations to adopt the 3-2-1-1-0 data resilience rule, ensuring that backups are immutable and free from malware before restoration.

Pre-attack confidence among ransomware victims often doesn’t reflect reality, as 69% believed they were prepared before being attacked, while their confidence plummeted by over 20% afterward, revealing significant gaps in planning. While 98% of respondents had a ransomware playbook, less than half of organizations had key technical elements included, such as backup verifications and frequencies (44%) and a pre-defined “chain of command” (30%).

Notably, CIOs experienced a 30% decline in their preparedness rating post-attack, compared to a 15% drop for CISOs, suggesting that CISOs have a clearer grasp of their organization’s security posture. These findings show the value of organizational alignment in cyber resilience, with regular training and exercises essential for a coordinated response during and after an attack.

Veeam surveyed 1,300 organizations to gauge how CISOs, security professionals, and IT leaders are recovering from cyber threats.