2024 has proven to be a record year of notable ransomware attacks, even though this year also marks successful global efforts like the takedown of leading cybercriminal group LockBit. Cyber extortion seems to be booming, with more and more incidents over the previous years. New groups are on the rise worldwide, and their gains are increasing significantly year by year. According to Chainalysis, the median ransom has soared from $198,939 in 2023 to $1.5 million in mid-2024.
The unprecedented rise in ransom payout shows that cyber extortion groups are now targeting large corporations more, some of which occupy a critical role, and thus are willing to pay even the highest of ransoms. Cyber “big game hunting,” as this approach is often referred to, is leading to a higher average value of ransomware payments than ever. Exploiting zero-day vulnerabilities is also on the plate for cyber predators this year, giving a tough time to security professionals in the US and around the globe.
So, what can we expect in 2025? How can companies stay one step ahead of the increasing ransomware attacks that threaten with exorbitant expenses and operational disruptions? This article will look at upcoming tendencies, major threat actors, and best practices for protecting your data against ransomware attacks.
Tendencies influencing the 2025 ransomware attacks landscape
Ransomware attacks continued to evolve in 2024, and by leveraging new tactics, they had successful attacks throughout several industries. Threat actors increasingly targeted supply chain networks, using lateral movement to maximize their impact. Double extortion remained the dominant method, while many criminal groups added triple extortion to their arsenal, like in the form of DDoS attacks.
AI-powered malware doesn’t make things easier, either, allowing cybercriminals to craft more personalized phishing attacks. In parallel action, ransomware as a service, or RaaS models, further lowered the barrier to entry for attackers, leading to a surge in smaller-scale attacks. Ransomware groups have successfully adapted to tighter regulations, successfully targeting and exploiting zero-day vulnerabilities.
So, 2024 hasn’t been easy on the world from a ransomware point of view. There have been four exceptionally high payments of eight figures each, including the staggering $75 million ransom the Dark Angels Team Ransomware managed to extort. The 2024 landscape highlights the need for robust endpoint protection, continuous monitoring, and resilient backup strategies to defend against future threats.
LockBit and RaaS
A well-known ransomware group, LockBit, has made a name for itself as a leader in RaaS. This model makes it possible for smaller cybercriminals (regardless of their technical expertise) to perform ransomware attacks by purchasing LockBit’s services. LockBit has been known for its high speed and efficiency, employing double and triple extortion tactics with a combination of encryption, exposure threats, and DDoS attacks to pressure victims into paying ransoms.
In 2024, international law enforcement intensified efforts against the LockBit group, which has led to successful arrests. In May, the US Department of Justice indicted Dmitry Yuryevich Khoroshev, alleging he served as LockBit’s developer and administrator since its beginnings in 2019. In August, dual Russian-Israeli citizen Rostislav Panev was arrested in Israel for his alleged role as a LockBit developer and is currently waiting for extradition to the US. Despite these actions, the group’s decentralized RaaS model allows LockBit and its coequal, BlackCat’s affiliates to continue their operations, creating a new group of individuals who are not developers but users of the code developed for malicious purposes. However, the sanctions implemented in 2024 restricting US victims from paying the ransom are expected to make things more difficult for the gangs.
Major threat actors to watch out for
After the excitement of 2024, the world of IT and security professionals is understandably curious about what the next year will bring in terms of dominant threats and ransomware attacks and how they can prepare for them. Although leaders have been hunted down, the world remains alert and bracing for what the ripple effect brings. In 2025, the ransomware landscape will witness new threat “rising stars,” as well as the resurgence of already established groups. Among the widely known groups, there’s the newly identified FunkSec, a group blending hacktivism and cybercrime. It has rapidly become a significant threat, accounting for over 100 attacks in December 2024 alone.
According to ExtraHop’s forecast, Cl0p, known for its data exfiltration tactics, is expected to perform a comeback show, leveraging unencrypted data theft methods. RansomHub and Cicada3301 are also gaining prominence: the latter is expected to become more ambitious and potentially exploit Remote Desktop Protocol (RDP) vulnerabilities.
Security organizations will continue to keep an eye out for “mature” cybercriminal organizations like Evil Corp (active since at least 2007), which will continue to pose threats in 2025. They initially distributed the Dridex malware toolkit, which was later used to spread other threat actors’ malware payloads. Over time, they expanded business to include ransomware strains like BitPaymer and WastedLocker. There’ve been international efforts to dismantle their operations, however, Evil Corp manages to stay active, often rebranding its malware.
Best practices for mitigating the risk of ransomware attacks
Mitigating ransomware risks requires a multi-layered approach. Companies need to dedicate special attention to making sure that their door will remain shut to unwanted company in 2025.
Backups
One of the most effective strategies for mitigating the risks of ransomware attacks is maintaining frequent backups. Following the 3-2-1 rule of keeping three copies of data on two different storage types, one offline, ensures recoverability. Adding immutable cloud storage can be a smart way to achieve stronger protection, which makes it possible to restore without paying the ransom. Daily backups of critical data are also crucial for ransomware recovery.
Network segmentation
What network segmentation does, is that it divides networks into isolated segments with independent firewalls and access controls. This makes it impossible for ransomware to spread. The subsystems have their separate security controls, firewalls, and access, obstructing ransomware from reaching the data. This approach prevents the ransomware from spreading to the main network and buys valuable time for security teams to detect, isolate, and remove threats.
The crucial role of incident response planning
A comprehensive incident response plan and a good DR team can prepare and arm a company against attacks. As regulations like Australia’s mandatory ransomware payment reporting take effect, businesses must adapt their disaster recovery and business continuity strategies to comply with legal frameworks. The results of surveys about willingness to pay ransoms differ from region to region. In Australia, 78% of surveyed companies confessed that they would pay a ransom to recover data and resume operations, and many countries in the APAC region think similarly. For instance, 82% of IT and security experts in Singapore and Malaysia reported that they would pay a ransom. The situation in the US has changed compared to previous years. Willingness to pay a ransom has fallen from 85% in 2019 to 29% in 2024 among American companies. This can be mainly attributed to companies building better security and backup strategies to avoid data breaches and paying hefty sums.
Basic hygiene
Keeping basic cybersecurity hygiene also forms a strong defense. Organizations should strengthen password management protocols, do regular updates, and use robust identity access controls. These are very simple practices that can create a powerful defense line; however, if businesses do not adhere to these basic precautions, they can become security vulnerabilities.
Regular mapping, testing, and pentesting
Because ransomware attack tactics evolve so quickly, testing and conducting assessments regularly is a must. Businesses should frequently map their attack surface, including their cloud systems, on-prem networks, all third-party assets, as well as sensitive data. Regular penetration testing and sandbox testing help identify new vulnerabilities, ensuring that security protocols remain effective. What will help in the future to stay clear of threats can be a matter of constantly reevaluating user privileges and creating new security measures.
Preparing for soaring challenges
As the National Cybersecurity Alliance emphasizes, ransomware threats will continue to grow, and organizations must take proactive steps to protect against their devastating effects in 2025. The rising dependence on interconnected systems, illustrated by the 2024 attacks on critical suppliers like CDK Global and Change Healthcare, highlights the need for thorough risk analysis and supplier vetting.
To build resilience, companies are advised to implement robust incident response plans and do everything it takes to detect threats in time. This includes maintaining secure backups and investing in continuous threat monitoring. AI-driven threats like identity theft and social engineering scams will foreseeably evolve in the meantime, which raises the need for advanced security tools and prevention practices that can potentially counter the more and more sophisticated tactics.
Michael Zrihen is Senior Director of Marketing & Internal Operations Manager at Volico Data Centers.
TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Featured image: SCARECROW artworks on Unsplash