Google Threat Intelligence has released its 2025 ransomware landscape report, revealing a significant shift in how cybercriminals operate.
According to the latest findings, ransomware groups are increasingly pivoting toward data theft and extortion as their traditional encryption-based business models become less profitable.
This change highlights the ongoing evolution of the ransomware-as-a-service ecosystem amid a more challenging environment for threat actors.
The Decline In Traditional Ransomware Profits
The drop in ransomware profits is driven by multiple factors, primarily improved cybersecurity defenses worldwide. Companies have significantly enhanced their ability to recover from cyberattacks without paying the perpetrators.
Public reporting indicates that nearly half of ransomware victims were able to restore their systems from backups in 2024, a massive improvement from previous years.
Consequently, ransom payment rates fell to a historic low by the end of 2025, and the average ransom demand dropped by one-third, falling from $2 million in 2024 to $1.34 million in 2025.
Additionally, the ransomware ecosystem has faced intense external pressure. Law enforcement operations and internal disputes have disrupted or collapsed previously dominant ransomware groups, including LockBit, ALPHV, Basta, and RansomHub.
These shakeups have forced many cybercriminals to become more cautious and rigorously vet their partners.
Evolving Tactics and Target Shifts
Despite the challenges facing cybercriminals, the ransomware landscape remains highly active and resilient. Well-established groups like Qilin and Akira have quickly filled the void left by dismantled organizations, leading to a record number of victims posted on data-leak sites in 2025.
The total number of leak posts surpassed the 2024 figures by almost 50 percent. The REDBIKE ransomware family was the most frequently deployed, accounting for nearly 30 percent of all analyzed incidents.
From a technical perspective, vulnerability exploitation remains the primary method for initial access.
In one-third of the 2025 incidents, attackers gained entry by exploiting flaws in common firewalls and virtual private networks, including products from Fortinet, SonicWall, and Palo Alto.
Threat actors are also increasingly targeting virtualization infrastructure. In approximately 43 percent of intrusions, attackers targeted virtual environments like ESXi hypervisors, a sharp increase from 29 percent the previous year.
| Vendor | Product | CVE Identifier |
|---|---|---|
| Fortinet | FortiOS / FortiProxy | CVE-2024-21762 |
| Fortinet | FortiOS / FortiProxy | CVE-2024-55591 |
| Fortinet | FortiOS | CVE-2019-6693 |
| Microsoft | SharePoint | CVE-2025-53770 |
To improve efficiency, attackers are adopting new technologies. There has been an increase in cross-platform ransomware capable of infecting both Windows and Linux systems.
Some groups are even integrating artificial intelligence to assist with victim analysis and utilizing decentralized Web3 networks to protect their infrastructure.
Google warns that as profits continue to shrink, organizations must remain vigilant against aggressive extortion tactics in 2026.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
