Ransomware Trends in 2025

Back in May 2024, I wrote that there were signs ransomware might finally be on the decline. I have continued to monitor various sources regarding this trend, and a year and a half later, the signs still support this: the growth in the number of attacks is slowing, fewer victims are paying, and the amounts paid are falling.

Many ransomware actors today use “Ransomware-as-a-Service” (RaaS) platforms to commit their crimes. These platforms operate similarly to Microsoft 365, with criminal organizations paying the RaaS provider to use the platform. At the end of 2024 and into early 2025, there was a surge in attacks enabled by a RaaS platform named “RansomHub.” The RansomHub service was suddenly shut down in March 2025. Some speculate that a rival service gained control of their infrastructure, while others believe law enforcement was involved. Regardless, RansomHub’s sudden departure has drastically reduced the number of attacks so far in 2025.

Another positive trend is that the number of victims who pay ransoms has decreased dramatically from a year ago, with most victims now choosing NOT to pay. This may be because, in many cases where victims did pay, they either never received the decryption keys or the keys did not work. Additionally, some criminal organizations returned to their victims a second, third, and even fourth time, demanding additional ransoms to avoid disclosing stolen information. Even when a ransom was paid and a valid decryption key was delivered, decryption was often slow, and recovery using other means might have been faster.

2025 has also seen a decrease in the amount of ransoms demanded and paid. One reason may be that victims are more likely to pay a lower ransom—a kind of reverse “supply and demand curve.” Another reason is a desire by criminals to keep a lower profile to avoid having their identities publicly exposed (“being doxed”), a tactic recently used more by government agencies when ransomware actors become too greedy. There is no honor among thieves, and being doxed means criminals must fear for their lives at the hands of other criminals who want to steal their spoils, even in countries beyond the jurisdiction of law enforcement from the victim’s country.

While it may be true that the frequency of attacks and the amounts demanded seem to be trending down, remember that the ransom is usually just a portion of the cost of a ransomware attack. The cost of lost operations, recovery, and customer notification can easily exceed the ransom itself. Financial institutions should not relax but should continue to train staff to be alert for suspicious emails, websites, and interactions with customers and business partners, as AI is increasingly used in ransomware attacks. Institutions also need to aggressively patch systems against vulnerabilities that criminals exploit, especially if those systems are exposed directly to the Internet.

If you found this information helpful and want to know more about Bedel Security, you can contact us anytime!