The ransomware threat landscape entered a new phase in 2025. Once a highly reliable criminal business model built on encrypting victim files and collecting ransom payments, it is now under significant financial pressure.
Ransom payment rates have hit historic lows, average demands have dropped sharply, and organizations are recovering from attacks more effectively than in recent years. Despite this, threat actors are not retreating.
Instead, they are adapting their methods in ways that make their operations harder to disrupt and their extortion strategies more difficult to deflect.
The financial decline is hard to ignore. In Q4 2025, ransom payment rates reached a historic low, according to reporting by CoveWare.
Sophos separately reported that average ransom demands dropped by one-third, falling from $2 million in 2024 to $1.34 million in 2025.
Nearly half of ransomware victims were able to restore from backup in 2024, compared to just 11% in 2022. This growing ability to recover has directly weakened the leverage ransomware operators depend on to collect payment.
Google Cloud analysts from the Google Threat Intelligence Group (GTIG), led by researchers Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, and Genevieve Stark, identified these evolving patterns through Mandiant incident response investigations conducted across organizations in Asia Pacific, Europe, North America, and South America throughout 2025.
Google Cloud experts’ analysis found REDBIKE to be the single most prevalent ransomware family, accounting for nearly 30% of all observed incidents — a new high that surpassed previous peaks set by both LOCKBIT and ALPHV, which each reached 17% in 2023.
.webp.jpeg)
The ransomware ecosystem itself also went through major disruption during 2025.
Prominent RaaS operations including LockBit, ALPHV, Basta, and RansomHub were significantly weakened or dismantled through law enforcement pressure and internal conflict.
However, Qilin and Akira stepped in to fill the void, and the total number of victim posts on data leak sites surpassed 2024 figures by nearly 50%.
Threat actors have also begun targeting smaller organizations more heavily, shifting away from large enterprises with mature defenses in favor of businesses with less robust security programs.
.webp.jpeg)
GTIG warns that declining ransom profits may push some actors toward alternative income strategies, such as running phishing campaigns through compromised infrastructure or monetizing access to victim environments in secondary ways.
Organizations are recommended to follow guidance from the Ransomware Protection and Containment Strategies white paper, which outlines practical steps for endpoint hardening, containment, and recovery preparedness.
The Rise of Data Theft as an Extortion Method
One of the most striking changes documented in 2025 incident investigations was the substantial rise of data exfiltration as a primary extortion lever.
GTIG observed confirmed or suspected data theft in approximately 77% of ransomware intrusions — a steep jump from 57% the year before.
Attackers now frequently steal sensitive files before deploying encryption, threatening to post the stolen data publicly on leak sites even if victims manage to restore their systems from backup.
To move data out of compromised environments, threat actors relied on a mix of familiar and widely available tools. Rclone appeared in approximately 28% of data theft incidents to transfer files to attacker-controlled infrastructure.
Both Rclone and WinRAR were observed in roughly 23% of all 2025 incidents, a notable increase from 2024. FileZilla, WinSCP, and cloud platforms including MEGA, OneDrive, and Azure were also used as exfiltration destinations.
Attackers specifically targeted legal documents, HR records, accounting data, and business development files — content chosen to maximize leverage during negotiations.
.webp.jpeg)
Organizations should implement strong data loss prevention (DLP) controls, monitor outbound traffic for unusual or large file transfers, and restrict the use of unapproved tools like Rclone and AzCopy.
Maintaining detailed logs of cloud storage access and visibility into endpoint activity can provide early warning of exfiltration attempts before sensitive data ever reaches attacker-controlled infrastructure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
