Latest ransomware trends expected to impact businesses in the year 2025
In the ever-evolving world of cyber security, the ransomware landscape is undergoing significant changes. The once-dominant ransomware as a service (RaaS) model continues to hold sway in the cyber threat landscape, but new trends are emerging.
One such trend is the splintering of the ransomware ecosystem, as noted by David Dunn, EMEA head of the cybersecurity practice at FTI Consulting. This splintering has led to a rise in lone wolf ransomware attacks, with individuals or very small groups operating independently. This shift has made it easier for attackers to go it alone or stand-up their own ransomware group, leveraging leaked RaaS source code.
The distinction between initial access brokers, affiliates, and core operators has become increasingly blurred. Numerous smaller ransomware operations such as Akira, DragonForce, and Qilin have emerged, with tactics that are more aggressive and less constrained by traditional norms. These groups are developing tools to disable or blindside endpoint detection and response (EDR) tools, making their attacks more stealthy and harder to detect.
The average ransom amount has steadily increased through 2025, according to David Dunn. However, the data breach aspect of ransomware is becoming the prominent method to extort victims, rather than offers to decrypt data. This shift is likely driven by the fact that companies are getting wise to data encryption and improving their backups.
The ransomware landscape is also seeing a rise in targeted attacks. The Warlock Group (also known as GOLD SALEM) has been particularly active, conducting targeted attacks since March 2025 using advanced techniques exploiting vulnerabilities in enterprise software. Notable targets include Ameos hospitals and the energy sector in Germany, with ransom demands reportedly reaching up to 15 million euros, as in the Entega case. The Entega attack also affected regional service providers such as Count+Care GmbH and several municipal utilities in Frankfurt and Mainz.
On a positive note, ransom payment bans are being mooted in multiple countries, and this is already starting to have an impact on the number of firms actually paying up. Additionally, regular staff training, updates, and alerts can help keep employees vigilant against evolving ransomware threats.
It's important to note that groups such as Cl0p and Termite have become proficient in exploiting internet-facing software and services. Credentials to EDR consoles or testing services are openly bought and sold on the dark web, highlighting the need for robust security measures.
Chainalysis data from February 2025 shows a 35% overall decrease in total volume of ransom payments. This could be a sign of the changing ransomware landscape, with prolific groups being taken down and fewer firms succumbing to ransom demands. The Dragonforce ransomware-as-a-service (RaaS) operation has made headlines following retail breaches against M&S and the Co-op.
As the ransomware landscape continues to evolve, it's crucial for organisations to stay vigilant and adapt their cyber security strategies to counter these emerging threats.
Read also:
- Companies exercise prudence towards AI adoption, ensuring secure implementation: Exploring safeguards and strategies.
- Stolen Brain Data of Sinner and Leclerc (Yellow chroma), previously held in China, repurposed for military training purposes.
- Increased instances of Russian-originated disinformation on social media platforms detected following the shooting of Kirk
- Financial researchers at Carnegie urge immediate efforts to counteract cyber threats in the financial sector
