I’ve been following ransomware since the first one, the AIDS Cop Trojan, was released in December 1989. It locked up victim computers and asked for $300 to be sent to a Panama P.O. Box. A lot has changed since then.
The invention of cryptocurrencies, particularly Bitcoin in January 2009, was largely responsible for the explosion of ransomware by 2013. This was when CryptoLocker ransomware was released to the world. Ransomware gangs have been making many billions of dollars per year ever since.
The “double extortion” phase of ransomware, where ransomware gangs first exfiltrated data and logon credentials, started in November 2019. Now, well over 90% of ransomware exfiltrates data. Forty percent (40%) of ransomware gangs only do data exfiltration (without the encryption threat) to get paid.
There was a slight “down year” in ransomware payments in 2022, and everyone wondered whether the world had finally started to get ransomware under control. But it was a one-year anomaly and ransomware payments were higher than ever in 2023. But then they fell again, significantly, in 2024 according to Chainalysis.
Are we starting to make a dent in ransomware? Possibly. There have been dozens of major successful law enforcement actions and sanctions against ransomware gangs and members. Collectively, this has literally blown apart many ransomware groups, resulting in infighting and dissolution within many of the remaining groups. Will this result in fewer attacks and lower ransom payments in 2025? We will see.
While we wait, here are some notable ransomware trends in 2025:
- Ransomware gangs have been exploiting more software and firmware vulnerabilities over the last few years (social engineering is still the number one initial access method by far, but a few percentage points less)
- Use CISA’s Known Exploited Vulnerability Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) to make sure you are patched.
- Average ransom paid (if paid) was just over $500K. Median payment was under $250K
- Fewer victims are paying the ransomware than ever before. Payment rates that used to be near 70% of all ransomware victims are now down to 25%, and that is part of a long downward trend
- Ransomware gangs are morphing into data breach gangs, concentrating on compromising large amounts of data (for ransom or resale)
- Decryption rates where all encrypted data is successfully recovered after a ransomware attack and ransom payment are declining (it is the rare company that gets all its data back)
- Traditional ransomware gangs are being replaced by lone operators and nation-states
- AI-enabled agentic ransomware is on its way. It will be better, more successful, and more pervasive than what we have today.
Regardless of statistics, every organization should have a ransomware recovery plan and recovery checklist. KnowBe4 has great ransomware defense resources at knowbe4.com/ransomware.
