November 30, 2025
The most comprehensive breakdown of 2025 ransomware statistics and threat trends.
Mohammed Khalil
The year 2025 represents a watershed moment in the history of cyber extortion. The ransomware ecosystem, once defined by opportunistic encryption of individual endpoints, has matured into a complex, industrialized economy characterized by volatile shifts in tactics, aggressive target selection, and a fundamental transformation in the "volume-to-value" ratio of cybercrime. This report provides an exhaustive analysis of the ransomware landscape in 2025, synthesizing data from forensic incident response, global threat telemetry, and dark web intelligence to offer a definitive account of the strategic realities facing organizations today.
Our analysis of the 2025 threat data reveals a digital ecosystem in a state of chaotic flux. While the sheer volume of attacks has reached historic highs surging 34% year-over-year in the first three quarters alone, the efficacy of the traditional encryption-based business model is facing an unprecedented decline. Victims are refusing to pay at record rates, driven by a maturation in backup strategies and an increasingly hostile regulatory environment. In response, threat actors have pivoted toward "Double Extortion," cloud-native exploitation, and aggressive supply-chain compromises to maintain their revenue streams.
The emergence of the Codefinger threat actor, utilizing Amazon Web Services (AWS) Server-Side Encryption (SSE-C) to lock victims out of their own cloud infrastructure without deploying traditional malware, signals a dangerous evolution in tradecraft that bypasses conventional detection mechanisms. Furthermore, the targeting logic has shifted aggressively toward the Manufacturing sector, which saw a 61% year-over-year increase in attacks, as criminals seek targets with the lowest tolerance for operational downtime.
This report is structured to provide a granular examination of these trends. We begin with a macro-statistical overview of the global threat landscape, followed by deep dives into threat actor dynamics, technical innovations, sector-specific risks, regional geopolitical influences, and the changing economics of cyber extortion.
The quantitative data for 2025 presents a clear and disturbing narrative: ransomware has evolved from a targeted, high-stakes heist model into a high-volume, industrialized churn. The barrier to entry has lowered, leading to a proliferation of attacks, while the "success" rate of these attacks defined by successful monetization has degraded, forcing threat actors to increase volume to sustain profitability.
The aggregate data for 2025 confirms that the frequency of ransomware incidents is accelerating at a rate that outpaces previous projections. Reports indicate that from January to September 2025, there were 4,701 confirmed ransomware incidents globally. This figure stands in sharp contrast to the 3,219 incidents recorded during the same period in 2024, marking a statistically significant 34% increase.
This surge is not merely a result of better detection but reflects an operational strategic shift by Ransomware-as-a-Service (RaaS) groups. As the probability of payment per victim decreases, groups are forced to increase the volume of compromises to maintain revenue baselines. By mid-2025, security researchers were observing approximately 520-540 new ransomware victims per month, which is about double the rate observed in early 2024.
The third quarter of 2025 was particularly intense. Leak site data showed 1,592 victims in Q3 alone, a 25% increase compared to Q3 2024. This relentless tempo suggests that the criminal ecosystem has achieved a level of redundancy and automation that decouples it from the human resource constraints that previously dictated operational cycles.
Notably, the historical "summer lull" , a period where cybercrime typically dipped due to holidays in Eastern Europe and Russia, was non-existent in 2025. Ransomware crews hit targets consistently, month after month, indicating a professionalization of the workforce that operates on 24/7 rotations.
A critical insight from the 2025 dataset is the inverse relationship between attack volume and monetization. While attack volume increased by 34%, the median ransom payment dropped by 50%, falling from $2.0 million in 2024 to approximately $1.0 million in 2025. This devaluation of the "product" forces threat actors to engage in more aggressive negotiation tactics and lower their initial demands to secure any payment at all.
The median ransom demand also fell by 34% to $1.32 million. This suggests a "market correction" in the cyber extortion economy, victims are no longer willing or able to pay exorbitant sums. This is driven largely by the fact that 63% of victims now refuse to pay, up significantly from 41% in 2024.
This refusal is grounded in the improved capability of organizations to restore data from backups. The statistic that 97% of organizations recover their data (via backups or other means) indicates that the encryption component of ransomware, once the primary leverage, has been largely neutralized as a catastrophic threat for mature enterprises. Consequently, the threat has migrated from availability (encryption) to confidentiality (data leakage).
The following table synthesizes key performance indicators of the ransomware economy, highlighting the divergence between attack prevalence and attacker profitability.
| Metric | 2024 Statistics | 2025 Statistics | YoY Change | Implication |
|---|---|---|---|---|
| Total Incidents (Jan-Sept) | 3,219 | 4,701 | +34% | Accelerating operational tempo, automation of initial access. |
| Payment Rate | ~50% | 23% - 37% | -44% (approx) | collapsing victim willingness to pay, better backups. |
| Median Ransom Demand | $2.0 Million | $1.32 Million | -34% | Pricing correction, attackers lowering asks to encourage payment. |
| Median Payment | $2.0 Million | $1.0 Million | -50% | Successful negotiation by victims, lower settlements. |
| Avg. Recovery Cost | $2.73 Million | $1.53 Million | -44% | Improved incident response (IR) efficiency and backup restoration. |
| Global Revenue (Est.) | $457 Million (2022) | $1.1 Billion+ (2023*) | +140% (lagging) | Volume is compensating for lower individual payments. |
The 2025 threat landscape is characterized by high volatility within the Ransomware-as-a-Service (RaaS) hierarchy. The monolithic dominance of single groups has been replaced by a fragmented, highly competitive market where affiliates migrate rapidly between programs, and "exit scams" by administrators are increasingly common. The ecosystem is Darwinian, groups that fail to innovate or attract high-quality affiliates rapidly lose market share.
Following the law enforcement disruption of LockBit in early 2024, the vacuum was filled by aggressive competitors. By mid-2025, Qilin emerged as the most prolific ransomware group. In June 2025 alone, Qilin carried out 81 attacks, representing a 47.3% monthly surge.
Qilin's dominance is attributed to its sophisticated technical capabilities and ruthless targeting logic. The group has heavily invested in encryptors designed for Linux and VMware ESXi environments, recognizing that these servers often host the critical databases and virtual machines that power modern enterprises.
The "Korean Leaks" Campaign:
A defining moment for Qilin in 2025 was its targeted campaign against the South Korean financial sector. Unlike the "spray and pray" tactics of lesser groups, Qilin executed a focused supply-chain attack.
One of the most statistically significant trends in 2025 is the meteoric rise of DragonForce. Data indicates a 212.5% increase in attacks by this group. DragonForce represents a new breed of RaaS operator that recruits displaced affiliates from defunct groups like ALPHV/BlackCat and LockBit.
DragonForce has differentiated itself through "hybrid extortion," combining encryption with high-pressure data leak sites. The group's rapid growth exemplifies the "gig economy" nature of modern cybercrime, when one major brand collapses, its workforce does not retire, they simply rebrand and migrate to the next available infrastructure provider. Their operational model offers a competitive commission structure (often taking a smaller cut than established groups) to attract high-volume affiliates.
RansomHub, once a dominant force in early 2025, illustrates the volatility of the market. After leading attack volumes in Q1 2025, the group's infrastructure abruptly went offline in April, effectively ceasing operations. This disappearance, likely due to either law enforcement pressure or an internal "exit scam" (where admins steal affiliate funds and vanish), caused a massive redistribution of affiliates. Former RansomHub affiliates were observed migrating to DragonForce and surviving LockBit splinters, highlighting the fluidity of the criminal workforce.
The following table summarizes the activity levels of major ransomware groups based on leak site data and incident response engagements in mid-2025. It reveals a landscape where old names are fading (Play, SafePay) and new aggressors are surging (Qilin, DragonForce).
| Rank | Ransomware Group | Activity Trend | Key Characteristics & 2025 Behavior |
|---|---|---|---|
| 1 | Qilin | Surging (+47% MoM) | Responsible for 29% of all attacks in Oct 2025, heavy focus on MSPs and ESXi, "Korean Leaks" campaign. |
| 2 | Akira | Steady Growth (+9.7%) | Continues to plague SMBs via VPN exploitation, 212% YoY increase in Q3 2025. |
| 3 | Play | Declining (-31.8%) | Significant pullback in activity, focused on high-value targets but lower volume, dropped to 102 claims in Q3. |
| 4 | DragonForce | Explosive (+212.5%) | Aggressive recruitment of displaced affiliates, rapid operational tempo, 20 victims in Oct 2025. |
| 5 | SafePay | Collapsing (-62.5%) | Massive reduction in operations, indicators of tooling or organizational failure. |
This data confirms a consolidation of power among groups that can successfully navigate the "post-LockBit" environment, specifically those who can offer affiliates reliable infrastructure and effective data leak platforms.
A defining characteristic of the 2025 landscape is the migration of ransomware tactics from traditional on-premises endpoints to cloud environments. As organizations harden their endpoints with Endpoint Detection and Response (EDR) and immutable backups, attackers are seeking the path of least resistance: the management plane of the cloud itself.
The most significant technical development of 2025 is the emergence of the Codefinger ransomware variant. Unlike traditional ransomware that downloads a malicious binary to encrypt files, a process that modern EDR tools are very good at detecting, Codefinger weaponizes native Amazon Web Services (AWS) features against the victim. It is a "Living off the Cloud" attack.
Mechanism of Attack:
Implications:
This technique is devastating because it triggers no malware alerts. It appears as legitimate administrative activity, a user encrypting data for security purposes. Halcyon and Trend Micro researchers identified this as a "systemic threat" because standard data recovery tools are ineffective if the cloud infrastructure itself enforces the encryption.4 It forces organizations to rethink their "Shared Responsibility Model," specifically regarding the lifecycle and permissions of API keys.
In 2025, 76% of all ransomware attacks involved data exfiltration prior to encryption. This is now the industry standard, effectively rendering the concept of "ransomware" synonymous with "data breach."
The "Double Extortion" model (pay to decrypt + pay to suppress leak) has evolved into "Triple Extortion." In this model, attackers not only encrypt and steal data but also aggressively harass the victim's clients, partners, or patients to increase leverage. For example, in the River Region Cardiology attack, the BianLian group threatened to release patient data to force payment, bypassing the organization's decision-making hierarchy by creating external pressure.
The speed of attacks has increased dramatically. Data from Palo Alto Networks Unit 42 indicates that the Mean Time to Exfiltrate (MTTE) has dropped to just 5 hours in 25% of incidents. In some AI-assisted simulations, this window shrunk to as little as 25 minutes. This compression of the "kill chain" is driven by automation and the use of AI to identify high-value data assets rapidly. Defenders are left with a vanishingly small window to detect and intercept data theft before the damage is irreversible.
A growing minority of attacks (6% in 2025, up from 3% in 2024) involve no encryption at all. In these cases, the attacker simply steals the data and demands a ransom to prevent its release. This tactic appeals to "lone wolf" attackers or affiliates who lack the technical infrastructure to manage complex decryptors but possess the skills to exfiltrate data. However, statistics show this method is less successful, with only 19% of victims paying when no encryption is involved, suggesting that operational disruption (downtime) remains the primary driver for ransom payment.
The targeting logic of ransomware groups in 2025 is driven by a cold calculus of "downtime intolerance." Sectors that cannot afford to go offline even for a day are disproportionately targeted. This has led to a significant reshuffling of the victim leaderboard.
Manufacturing displaced healthcare and finance to become the #1 targeted sector in 2025, witnessing a 61% year-over-year increase in attacks.
Healthcare remains a favored target due to the sensitivity of patient data (Protected Health Information - PHI) and the life-or-death necessity of uptime.
In terms of raw frequency, the Education sector faced the highest assault rate in Q2 2025, averaging 4,388 attacks per week per organization.
The banking sector faced aggressive targeting, with 65% of financial organizations experiencing an attack in 2024/2025. The "Korean Leaks" campaign by Qilin specifically targeted this sector, compromising 24 financial institutions in September 2025 alone. This sector's high liquidity makes it an attractive target, but its heavy regulation often prevents ransom payments, leading to high data leak rates.
Ransomware remains a global phenomenon, but the distribution of pain is not uniform. The targeting profiles in 2025 reflect geopolitical fault lines and economic opportunity.
The United States remains the epicenter of the ransomware crisis, absorbing approximately 21% of all global attacks (roughly 1,000 incidents in the first three quarters of 2025).
Europe accounted for approximately 26% of global ransomware activity in Q2 2025, a noticeable increase from 19% in Q1.
Asia accounted for roughly 9-14% of global activity. The most notable event in this region was the aggressive campaign by Qilin against South Korea.
Attribution remains complex, but 2025 saw increased collaboration between financially motivated cybercriminals and state-sponsored actors.
The financial mechanics of the ransomware ecosystem are under severe strain. The data from 2025 indicates a "recession" in the profitability of individual attacks, forcing a shift in business strategy for threat actors.
The most significant statistic of 2025 is the collapse in payment rates. Only 23% to 37% of victims paid the ransom. This is a historic low, down from nearly 50% in 2024.
To combat the refusal to pay, attackers have lowered their price points.
The Average vs Median Discrepancy:
Interestingly, while the median payment dropped, some reports indicated an increase in the average payment in Q2 2025, reaching $1.13 million (up 104% from Q1).31 This statistical anomaly suggests that while fewer victims are paying (dragging down the median), a small number of large organizations are paying massive sums (dragging up the average). This reflects a "whale hunting" strategy where attackers focus on high-value targets like Change Healthcare (which paid a historic ransom in 2024) or large manufacturing conglomerates that simply cannot function without their data.
Victims who do engage in negotiation are seeing success. 53% of victims who paid successfully negotiated a lower amount than the initial demand. Only 29% paid the full initial asking price. This data suggests a "buyer's market" where victims hold more leverage than in previous years. The distinct drop in recovery costs (down 44% to $1.53M) further incentivizes organizations to rebuild rather than pay.
The analysis of the 2025 ransomware statistics leads to several critical conclusions regarding the future of the threat landscape.
1. The "Post-Encryption" Era is Beginning:
The success of backup strategies has forced attackers to innovate. The Codefinger S3 attack and the prevalence of data exfiltration (76% of cases) prove that data availability is no longer the primary leverage point, data confidentiality and integrity are. Organizations must pivot defenses from "backup and restore" to "detect and prevent exfiltration." The battleground has shifted from the backup server to the egress filter.
2. The Commoditization of Attack Volume:
The 34% surge in attacks combined with the 50% drop in payment amounts indicates a shift toward a "high volume, low margin" business model for attackers. This implies that small and mid-sized businesses (SMBs) will face increasing pressure as automated attacks sweep the internet for low-hanging fruit to make up for lost revenue from hardened enterprise targets.
3. Supply Chain Fragility:
The concentration of attacks on the Manufacturing sector (up 61%) and the use of MSPs to hit multiple targets (as seen in the Korean financial attacks) underscores that third-party risk is the single greatest failure point. Defenders can secure their perimeter, but they are vulnerable to the security posture of their weakest vendor.
4. Cloud Sovereignty Risk:
The Codefinger/SSE-C attack vector represents a failure of the "Shared Responsibility Model" in practice. Attackers are weaponizing the cloud provider's own security features against the customer. This necessitates a fundamental rethink of IAM (Identity and Access Management) governance, specifically regarding API key lifecycles and permission scoping. Organizations using AWS S3 must audit their environments for the existence of long-lived access keys with PutObject permissions and consider disabling SSE-C if not explicitly required.
In summary, 2025 is a year of friction. Defenders have won the battle on data recovery, forcing attackers to escalate the war on data privacy and operational continuity. The threat is no longer just about getting your files back, it is about keeping your secrets private and your factories running in an environment where the adversary is moving faster, aggressively automating, and targeting the very infrastructure of the cloud itself.
Reference
Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us