Ransomware’s new playbook is chaos

Ransomware threats are accelerating in scale, sophistication, and impact. Data reveals how evolving techniques, shifting payment trends, and AI-driven capabilities are reshaping the threat landscape, and raising the stakes for every organization.

The weekend is prime time for ransomware

Over half of organizations that experienced a ransomware event in the past year were hit during a weekend or holiday, according to a Semperis reportion, and fewer eyes on identity systems. Intruders know that reduced attention allows them to move deeper before alarms are raised.

Retailers are learning to say no to ransom demands

Ransomware remains one of the biggest operational risks for retailers, but the latest data shows a shift in how these attacks unfold. Fewer incidents now lead to data encryption, recovery costs have dropped, and businesses are bouncing back faster. Yet attackers are demanding more money, and security teams are feeling the strain.

Ransomware, extortion groups adapt as payment rates reach historic lows

Ransomware groups are facing an economic downturn of their own: In Q3 2025, only 23 percent of victims paid a ransom, and for data theft incidents that involved no encryption, the payment rate dropped to just 19 percent. Ransomware-as-a-Service groups like Akira target the mid-market and ask for smaller payments, but their payment rate remains slightly higher than the average. Other actors have gone in the opposite direction, targeting exclusively large enterprises that appear able to pay higher sums.

Ransomware groups are multiplying, raising the stakes for defenders

Ransomware activity is climbing again, with a steep increase in the number of victims and the number of groups launching attacks. From January through June, ransomware groups listed 3,734 victims on their public extortion sites. This is a 20% increase over the last half of 2024 and a 67% jump compared to the same period last year.

AI gives ransomware gangs a deadly upgrade

Ransomware continues to be the major threat to large and medium-sized businesses, with numerous ransomware gangs abusing AI for automation. From January to June 2025, the number of publicly reported ransomware victims jumped 70% compared to the same period in both 2023 and 2024. February stood out as the worst month, with 955 reported cases.

Ransomware groups shift to quadruple extortion to maximize pressure

Threat actors are using a new quadruple extortion tactic in ransomware campaigns, while double extortion remains the most common approach. The emerging trend of quadruple extortion includes using DDoS attacks to disrupt business operations and harassing third parties, like customers, partners, and media, to increase the pressure on the victim. It builds on double extortion ransomware in which attackers encrypt a victim’s data and threaten to leak it publicly if the ransom isn’t paid.

Companies negotiate their way to lower ransom payments

Nearly 50% of companies paid the ransom to recover their data, the second-highest rate in six years. Despite the high percentage of companies that paid the ransom, 53% paid less than the original demand. In 71% of cases where the companies paid less, they did so through negotiation, either through their own negotiations or with help from a third party. In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimizing the impact of ransomware.

AI becomes key player in enterprise ransomware defense

Ransomware breaches continue to rise even as fewer victims pay. 69% of organizations globally have fallen victim to ransomware, with 27% being hit more than once. While only 57% of organizations paid ransoms, down from 76% in 2024, the frequency and impact of attacks continued to grow as threat actors turned to other tactics like extortion, with 85% of ransomware victims threatened with exposure.

Ransomware spreads faster, not smarter

The fall of two of the most dominant ransomware syndicates, LockBit and AlphV, triggered a power vacuum across the cybercriminal landscape. In their place, dozens of new actors emerged, many of them lacking the infrastructure, discipline, or credibility of their predecessors. The result was a surge in attack volume, a decline in coordination, and growing unpredictability in how, where, and why attacks occur.

Despite drop in cyber claims, BEC keeps going strong

Ransomware claims stabilized in 2024 despite remaining the most costly and disruptive type of cyberattack. 60% of 2024 claims originated from BEC and funds transfer fraud (FTF) incidents, with 29% of BEC events resulting in FTF. BEC claims severity increased 23% year-over-year (YoY) to an average loss of $35,000, primarily driven by a spike in the latter half of 2024.

Ransomware spike exposes cracks in cloud security

90% of IT and security leaders said their organization experienced a cyberattack within the last year. Nearly one fifth of organizations globally experienced more than 25 cyberattacks in 2024 alone, according to IT and security leaders, an average of at least one breach every other week. The most common attack vectors cited were data breaches (30%), malware on devices (29%), cloud or SaaS breaches (28%), phishing (28%), and insider threats (28%).

Ransomware attacks are getting smarter, harder to stop

Ransomware attacks are becoming more refined and pervasive, posing significant challenges to organizations globally. Report reveals that while the percentage of companies impacted by ransomware attacks has slightly declined from 75% to 69%, the threat remains substantial.

Ransomware groups push negotiations to new levels of uncertainty

Ransomware attacks increased by nearly 20% in 2024, and the severity rose by 13%. The blast radius of ransomware continues to grow as businesses impacted by attacks on vendors and partners increased 43%, while the average cost of these third-party incidents jumped by 72%.

AI will make ransomware even more dangerous

Ransomware is the top predicted threat for 2025, which is especially concerning given 38% of security professionals say ransomware will become even more dangerous when powered by AI. In comparison to the threat level, only 29% of security professionals say they are very prepared for ransomware attacks – leaving a significant gap in preparedness (29%), highlighting the need for more robust security measures.

Ransomware payments plummet as more victims refuse to pay

The total volume of ransom payments decreased year-over-year by approximately 35%, the blockchain analysis firm says. In 2023, victims delivered $1.25 billion to ransomware attackers and data theft and extortion gangs. In 2024, the number fell to $813.55 million.

Only 13% of organizations fully recover data after a ransomware attack

Ransomware attacks are disrupting and undermining business operations and draining revenue streams. Findings from the study reveal that 58% of organizations had to shut down operations following a ransomware attack, up from 45% in 2021. 40% reported a significant loss of revenue (up from 22% in 2021); 41% lost customers; and 40% had to eliminate jobs.

Must read / watch:

• Preventing the next ransomware attack with help from AI
• Pay, fight, or stall? The dilemma of ransomware negotiations
• When ransomware strikes, what’s your move?
• Ransomware will thrive until we change our strategy

Stay updated with the latest cybersecurity news. Subscribe here!