Despite major advances in cybersecurity, ransomware attackers are evolving just as fast, finding new ways to bypass defenses and extort payments from businesses of all sizes — potentially even yours.
Fueled by major shifts in the digital landscape, it’s no wonder ransomware attacks are accelerating at a rapid pace. In fact, according to one estimate, the economic damage of ransomware attacks will reach $57 billion in 2025 alone, factoring in:
And it’s not just large enterprises with deep pockets that need to worry: every industry saw increased ransomware attacks in 2024 — with the exception of IT, traditionally the best-prepared sector. Attackers are clearly shifting their focus toward softer, less well-defended targets.
The more you understand the latest ransomware tactics, the more ready you’ll be to protect your organization. But before we dive into the biggest ransomware threats in 2025, let’s take a brief look at what ransomware is, and why it remains such a lucrative weapon for cybercriminals.
At its core, ransomware is a type of malicious software designed to block access to a computer system or data until a ransom is paid.
In a typical attack, ransomware encrypts the victim’s files or systems, rendering them inaccessible. Attackers then demand payment in exchange for decryption keys.
Victims are left with two undesirable choices:
While the basic formula of ransomware — encrypting data and demanding payment — has stayed the same for decades, the tactics behind it are continuously evolving. Attackers are constantly adopting new techniques and technologies to maximize disruption, pressure victims, and increase their chances of getting paid.
Here are the biggest ransomware trends you need to be prepared for in 2025.
Go back just a few years, and malware attacks were carried out primarily by highly skilled hackers. Now? Not the case. Anyone who fancies themselves a cybercriminal can launch high-impact attacks, thanks to the significant lowering of technical barriers through RaaS.
RaaS has brought ransomware to the masses while allowing established ransomware groups to expand their operations and dramatically reduce the time needed to plan an attack. RaaS users — known as affiliates — access the ransomware tools in exchange for a slice of the profits, typically through pre-arranged revenue splits with the RaaS operators.
What’s more, the level of professionalism and sophistication among RaaS providers is advancing. Some offer round-the-clock support, regular updates, and even negotiation services.
The impact? A steady rise in attack volume and increasing pressure on security defenses.
While high-profile breaches still grab the headlines, attackers in 2025 are increasingly focusing on small and medium-sized businesses (SMBs) — and with good reason. Cybercriminals know these organizations often have softer security, making them easier to breach.
From the attacker’s perspective, it’s a quick win. The payouts might be smaller — the median payout in 2024 was $200,000 — but the attacks are far more likely to succeed. Attacks can be launched faster and with less resistance, making for a better return on investment (ROI).
If you run an SMB, this shift should raise alarms. You're no longer too small to fly under the radar: in fact, you’re becoming an increasingly attractive target. Now’s the time to ensure your security systems are up to scratch.
In the past, ransomware attackers could remain undetected within networks for extended periods before executing their attacks.
This period, known as dwell time, refers to the window between an attacker gaining access and actually deploying the ransomware payload. Dwell time is typically spent assessing the environment, mapping infrastructure, and identifying high-value targets.
Today, that window is shrinking fast. According to Sophos, the median dwell time for ransomware cases in 2025 is down to just 4 days — a dramatic shift from previous years. For comparison, Mandiant reported a global median dwell time of 16 days across all breaches in 2022, with ransomware cases on the higher end of that data range.
The drop is largely due to improved detection capabilities on the defender’s side. Tools like EDR, MDR, and behavior-based analytics are catching suspicious activity faster than ever. As a result, attackers know they must move quickly after gaining initial access — strike before they’re discovered.
Stronger defenses are ultimately a good thing, but the margin for error is slimmer than ever as a consequence. Rapid detection and response are critical to minimize the damage of these swift attacks.
(Learn about TDIR and how to do it: threat detection, investigation, and response.)
AI is everywhere in 2025 — and ransomware is no exception.
If you’ve ever seen an AI-generated deepfake, you know how convincing they can be. That same technology is now being used by attackers to craft highly believable phishing emails, generate realistic voice impersonations, and automate early-stage attack steps like password cracking.
With AI doing the heavy lifting, ransomware attacks are becoming more scalable, efficient, and deceptive.
Of course, AI is also being deployed to bolster cybersecurity — through tools that detect anomalies, analyze behavior, and automate responses. But for now, the balance of power still seems firmly with the attackers, as ransomware actors need less technical skill and can execute with minimal planning.
As AI capabilities continue to evolve, defending against these attacks will only get harder.
The ransomware playbook used to be relatively straightforward: encrypt a victim’s files and demand payment in exchange for a decryption key. It was disruptive, but everyone understood the game.
Over the past few years, though, the model has evolved, with a sharp rise in extortionware. These attacks don’t just lock files — encryption can be noisy and draw attention. Instead, they focus on stealing sensitive data and threatening to leak it unless a ransom is paid. After all, once the data has been exfiltrated, internal defenses are powerless to stop what happens next.
Still, encryption hasn’t disappeared altogether. In fact, this shift gave rise to the double extortion model, where attackers combine encryption with data exfiltration — essentially a double whammy of ransomware and extortionware tactics. Victims face double the pressure: pay up or lose access to critical systems and risk the public exposure of stolen data.
Attackers haven’t stopped there, either. Triple extortion is becoming more common, where attackers go even further to apply pressure — contacting the media, regulators, or even customers. The goal: intensify psychological, reputational, and financial stakes to force a quicker payout.
But this isn’t just a numbers game or a brute-force operation. Ransomware groups are investing heavily in targeted reconnaissance, where time is spent researching potential victims to identify personal or organizational pressure points.
The better attackers understand their targets, the more leverage they have. And the harder it becomes to ignore their demands.
With access to breakthrough technology and new services, ransomware isn’t standing still — and neither should your defenses. Attackers are moving faster, growing more sophisticated, and expanding their targets, making detection and rapid response more critical than ever.
The best protection is understanding these evolving tactics and implementing security measures designed to meet today’s threats. Staying ahead of the latest trends remains your first and strongest line of defense.
See an error or have a suggestion? Please let us know by emailing splunkblogs@cisco.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.