Ransomware Attacks Surge 126% as Criminal Groups Fragment and Evolve

Major law enforcement disruptions have shattered dominant ransomware operations, but the threat has only grown more unpredictable as dozens of smaller groups fill the void.

Ransomware attacks exploded in the first quarter of 2025, surging 126% compared to the previous year and claiming over 2,000 victims globally. Yet even as total ransom payments declined, the average demand climbed to between $1 million and $2 million per incident, while recovery costs reached $1.5 million, according to Akamai's latest threat intelligence report.

The dramatic increase comes as sustained law enforcement pressure throughout 2024 and early 2025 fundamentally disrupted the operational economics of cybercrime. Rather than eliminating the threat, however, these takedowns have fragmented the ransomware landscape into more than 70 active operations deploying increasingly sophisticated tactics.

"The ecosystem shifted from organized, predictable ransomware-as-a-service operations to a chaotic marketplace of opportunistic lone actors, state-sponsored hybrids, and fragmented affiliate networks," researchers noted in the report. "This fragmentation paradoxically makes defense both easier, with no single dominant threat, and harder, with unpredictable tactics across dozens of groups."

Law Enforcement Strikes Create Chaos

The transformation began with Operation Endgame Phase 2 in May 2025, which became the largest coordinated takedown to date. Authorities dismantled 300 servers, neutralized 650 domains, seized €3.5 million in cryptocurrency, and charged 16 individuals for distributing DanaBot malware. The operation targeted initial access infrastructure critical to ransomware kill chains, disrupting Bumblebee, Latrodectus, Qakbot, DanaBot, Trickbot, and WarmCookie malware families that ransomware groups depend on for network penetration.

Operation Cronos continued reverberating throughout 2025 after its February 2024 launch against LockBit. Law enforcement seized 34 servers, obtained more than 1,000 decryption keys, and unmasked administrator Dmitry Khoroshev, now subject to a $10 million reward. LockBit's activity collapsed from dozens of weekly victims to one or two monthly posts, reducing their market share from 25% in 2023 to just 1.5% in 2025.

The operation revealed a trust-shattering discovery: ransomware groups don't delete victim data after payment, creating a crisis that fundamentally undermined the entire ransomware-as-a-service business model.

Additional operations targeted other major players. Operation Phobos Aetor in February 2025 dismantled 8Base ransomware infrastructure, arresting four Russian nationals in Thailand and seizing 127 servers. The group, responsible for more than 1,000 attacks and $16 million in stolen funds, went inactive following the takedown. Operation Checkmate in July and August 2025 targeted BlackSuit and Royal ransomware, seizing servers and domains while recovering $1.09 million from a single ransom payment.

Rise of the Hydra

Yet adversaries demonstrated remarkable resilience. As authorities cut off one head, multiple others grew back. By the first half of 2025, 96 unique ransomware groups were operating, up 41% from 68 in the first half of 2024. This proliferation signals that takedowns create vacuums quickly filled by new entrants.

LockBit itself released version 5.0 in September 2025 with advanced cross-platform capabilities targeting Windows, Linux, and ESXi systems. The variant employs heavy obfuscation, patches Windows event tracing, terminates 63 hardcoded security services, and clears all event logs post-encryption. The ESXi variant poses critical risks to virtualization infrastructure, capable of encrypting entire virtual machine environments in single attacks.

RansomHub, which became the most prolific operation in the first quarter of 2025 with 254 reported compromises, saw its infrastructure go offline in April. The group was allegedly absorbed by DragonForce in a hostile takeover. However, in May 2025, LockBit suffered a major breach when an actor named "Rey" compromised the affiliate and admin panels, exposing 4,400+ negotiation messages, 75+ user accounts with plaintext passwords, and 60,000 Bitcoin wallet addresses.

BlackCat's Brazen Exit Scam

BlackCat, also known as ALPHV, conducted one of the most brazen exit scams in ransomware history, disappearing in March 2024 after stealing a $22 million ransom from the Change Healthcare attack. The breach became the largest healthcare data breach in U.S. history, affecting over 100 million individuals.

Affiliate "Notchy" publicly accused BlackCat of theft before the operators closed affiliate accounts, drained cryptocurrency wallets, posted a fake FBI seizure notice, and offered source code for sale at $5 million. Europol, the Department of Justice, and the UK's National Crime Agency confirmed no law enforcement involvement in the fake seizure, exposing it as cover for the theft.

BlackCat's technical innovations now proliferate ecosystem-wide through successor groups. Two groups emerged carrying the legacy: Cicada3301 and RansomHub. Both exhibit striking code similarities to BlackCat, written in Rust and using identical toolchains.

The most dangerous BlackCat legacy may be Scattered Spider, English-speaking affiliates including teenagers and young adults who pioneered social engineering attacks exploiting native fluency. Responsible for the September 2023 MGM Resorts attack, which caused more than $100 million in operational losses, and the Caesars Entertainment breach, which led to a $15 million ransom payment, Scattered Spider transitioned to DragonForce ransomware in 2025. UK arrests in July and September 2025 charged members with $115 million in ransom payments from more than 120 network intrusions, seizing $36 million in cryptocurrency.

Seven Groups Compete in Fractured Market

The collapse of traditional powerhouses created a multi-polar threat landscape where seven groups emerged as primary threats in 2025, each with distinct characteristics and targeting patterns.

CL0P set a new record in February 2025, claiming responsibility for 385 attacks in just a few weeks. The group executed the year's most impactful supply chain campaigns, specializing in mass exploitation of file transfer software vulnerabilities. The Cleo campaign exploited vulnerabilities to compromise 66+ organizations by December 24, 2024, with a 389-victim surge in February 2025, a 1,400% increase. September 2025's Oracle E-Business Suite campaign exploited July patches to extort hundreds of organizations with ransom demands up to $50 million.

Qilin emerged as the second quarter's breakout performer, becoming the most active group by June 2025 with 81 attacks, a 47.3% increase. A critical development: North Korean state actor Moonstone Sleet deployed Qilin ransomware in March 2025, signaling nation-state convergence with cybercriminal operations.

Akira maintained steady high-volume operations with 349 victims in 2024 and 147 in the first quarter of 2025. The group offers multi-platform variants and exploits unconventional vulnerabilities like webcam bypass of endpoint detection and response systems.

Play operated with characteristic low profile but high effectiveness, with the FBI aware of roughly 900 impacted entities by May 2025. Another troubling development: North Korean Jumpy Pisces acted as Initial Access Broker and affiliate for Play in October 2024, marking the first observed North Korean state collaboration with ransomware operations.

Medusa specialized in healthcare targeting with more than 200 victims in 2024 and 15 healthcare victims from January to April 2025. Operating a unique ransom auction model on their leak site, Medusa exploits ScreenConnect and Fortinet vulnerabilities for initial access.

DragonForce pioneered a novel "cartel" or white-label ransomware-as-a-service model, taking only 20% cuts while allowing affiliates to maintain independent branding. The group experienced a 212.5% activity surge following alleged absorption of RansomHub infrastructure in April 2025.

Beyond these seven, 46 new groups emerged in 2024 compared to 27 in 2023, a 70% increase. The first quarter of 2025 added 12 new groups, while the second quarter introduced Silent, Crypto24, Bert, Gunra, World Leaks, Nova RaaS, and NightSpire. By July, more than 25 newly identified groups were operational.

Healthcare Bears Disproportionate Impact

The year's most damaging incidents demonstrated ransomware's capacity for systemic disruption, with healthcare bearing disproportionate impact. Change Healthcare compromised over 100 million individuals' personal information. UnitedHealth paid $22 million to BlackCat, subsequently stolen in the exit scam, but total costs reached $2.457 billion including weeks of prescription drug service disruptions nationwide.

Yale New Haven Health, discovered March 8 and disclosed April 11, affected 5.5 million individuals with compromised Social Security numbers and medical data. Ascension Healthcare disrupted 142 hospitals, affecting 5.6 million patients and prompting Black Basta's operational cessation after attracting law enforcement scrutiny. The Synnovis pathology attack by Qilin disrupted London hospital operations, impacting more than 300 million patient interactions with the National Health Service.

Healthcare's persistent targeting stems from operational urgency, as patient care demands rapid ransom payment decisions, and valuable data combining medical records, financial information, and personally identifiable information. Approximately 65% of healthcare organizations experienced ransomware in 2024 and 2025. Despite supposed ethical guidelines, groups consistently target hospitals, with 10.6% to 15.4% of all 2025 attacks hitting healthcare.

Critical infrastructure beyond healthcare faced major incidents. The Blue Yonder supply chain software attack affected Starbucks' 11,000 stores, disrupting scheduling and payroll systems. United Natural Foods, Whole Foods' primary distributor, suffered a mid-June attack crippling electronic ordering. Orange telecommunications in France experienced data theft and encryption on July 28. PowerSchool breach affected 6,505 school districts, 62 million students, and 9.5 million teachers.

Supply chain attacks multiplied impact. Cleo file transfer exploitation affected 66+ organizations with roughly 4,000 potential targets. Oracle Cloud SSO/LDAP breach discovered March 21 compromised 6 million records across more than 140,000 tenants.

Government sector attacks surged 65% in the first half of 2025 versus 2024. The U.S. government accounted for 66% to 67% of global ransomware incidents, with manufacturing representing 68% of industrial ransomware specifically.

Financial Paradox: Lower Payments, Higher Demands

Total ransom payments in 2024 reached $813.55 million, representing a 35% decline from 2023's $1.25 billion. This marked the first year-over-year decrease since 2022, with particularly sharp slowdown in the second half of 2024 following major law enforcement disruptions.

Yet average payment amounts climbed dramatically. Average ransom payment reached $1.0 million to $2.73 million depending on measurement methodology, up from $400,000 in 2023, a 500% increase. The record single payment: $75 million to Dark Angels from a Fortune 50 company. Median payments present more realistic picture for typical victims: $200,000 in the first quarter of 2025, up 80% from the fourth quarter of 2024's $110,890.

The widening gap between average and median indicates market bifurcation: small number of massive eight-figure ransoms from major enterprises skew averages upward, while median reflects common six-figure reality most organizations face.

Critical disconnect emerged between demands and payments. The second half of 2024 saw 53% difference between initial demand and actual payment, the widest gap observed. Only roughly 30% of negotiations result in payment, indicating sophisticated resistance and negotiation strategies.

Payment rates collapsed to 25% to 35% in the first quarter of 2025, bouncing within this range for six quarters and hitting record low 25% in late 2024. However, only 13% who pay receive all data back uncorrupted, and 84% of payers didn't get data back uncorrupted in 2024, undermining the value proposition of paying.

Recovery costs excluding ransom averaged $1.5 million, with total incident costs reaching $5.13 million to $6 million. Cost components include 24-day average downtime, legal fees, system restoration, reputational damage, regulatory penalties, and lost productivity. Organizations with compromised backups face eight times higher recovery costs, $12 million average versus $1.5 million with clean backups.

Multi-Extortion and AI Define Evolution

Ransomware operators fundamentally transformed attack methodologies in 2025, moving beyond simple encryption to sophisticated multi-stage extortion campaigns. Approximately 96% of ransomware incidents now involve data exfiltration before encryption, making backups insufficient as sole defense.

Double extortion, encrypting systems while threatening data leaks, became baseline with 70% of attacks. Triple extortion surged 126% in the first quarter of 2025, adding third pressure layers: DDoS attacks, direct harassment of customers and partners, threatening employees individually, and secondary encryption of additional systems.

Quadruple extortion emerged as cutting-edge tactic. Akamai reported increasing prevalence in August 2025 of attacks combining encryption, data leaks, DDoS, and fourth layers like stock manipulation threats against publicly traded companies, media campaigns to amplify reputational damage, and supply chain pressure targeting victim business relationships.

AI integration accelerated dramatically. FunkSec deployed AI-generated phishing templates and "WormGPT" chatbot for campaign customization. Black Basta and other groups leverage AI for negotiation and pressure campaigns. Generative AI creates hyper-localized phishing with native-language accents and company-specific context, with 442% increase in AI-powered vishing from the first half to second half of 2024.

Nation-state convergence represents perhaps the most concerning evolution. North Korean state actors Jumpy Pisces and Moonstone Sleet collaborated with Play and Qilin ransomware in October 2024 and March 2025 respectively, marking state-sponsored shift from purely cyber-espionage to financially motivated extortion.

Initial access vectors shifted decisively. Exploited vulnerabilities became the number one root cause at 32% of incidents, overtaking traditional phishing. Approximately 81% of intrusions were malware-free, relying instead on social engineering, including help desk impersonation, SIM swapping, and multi-factor authentication fatigue via push bombing, and credential compromise. Cloud intrusions increased 136% in the first half of 2025 versus all of 2024.

Attack velocity compressed dramatically. Negotiations now begin within hours of exfiltration. CL0P's supply chain campaigns execute in hours or days versus weeks-long dwell times of traditional operations. The fastest eCrime breakout time: 51 seconds, with average breakout time of 48 minutes. Defensive response windows narrowed to near real-time requirements.

Ten Critical Defense Strategies

Organizations face an asymmetric battle where defenders must succeed constantly while attackers need a single success. However, data-driven analysis of 2025 attacks reveals specific controls demonstrably reducing risk.

Implementing 3-2-1-1-0 backup strategy stands as the ultimate insurance policy. Maintain three copies of data on two different media types with one copy offline or offsite, one immutable copy that cannot be changed or deleted, and zero doubt in recovery capability through quarterly testing. Organizations with compromised backups face eight times higher recovery costs. Critically, 98% of organizations with tested backups recovered without paying ransom.

Deploying Zero Trust Architecture treating all access as untrusted prevents lateral movement enabling ransomware spread. Healthcare organizations implementing identity-based microsegmentation achieved 90% reduction in breach impact while reducing costs by 76%.

Prioritizing vulnerability management with rapid patching addresses exploited vulnerabilities as the number one attack vector at 32% of incidents. The patch window compressed to hours, not weeks. Organizations with aggressive patch management reduce successful attacks 60% to 70%.

Mandating multi-factor authentication everywhere prevents 99.2% of account compromise attacks. With compromised credentials accounting for 47% of initial access, phishing-resistant multi-factor authentication is non-negotiable. Microsoft reports 99.9% of breached accounts lacked multi-factor authentication.

Deploying AI-powered endpoint detection and response enables behavioral detection of unknown threats. AI and machine learning reduce mean time to detect from 204 days to near real-time. Automated response contains threats before encryption.

Implementing Continuous Threat Exposure Management cuts through overwhelming vulnerability noise. Organizations prioritizing security investments based on these programs realize two-thirds reduction in breaches.

Network segmentation and microsegmentation prevent lateral movement and contain ransomware to initial compromise point. Updated HIPAA rules now mandate network segmentation for healthcare in 2025.

Comprehensive security awareness training addresses human error involving 68% of breaches. Organizations with regular training see 70% reduction in successful phishing attacks. Focus 2025 training on AI-generated phishing, voice phishing with AI-generated accents, QR code phishing, and business email compromise tactics.

Developing and testing incident response playbooks ensures readiness. Approximately 98% of organizations have ransomware playbooks but less than 50% include essential elements to execute effectively. Organizations conducting regular simulations recover 50% faster with 30% lower costs.

Implementing identity and access management hardening recognizes identity as the new perimeter. With cloud intrusions up 136% in the first half of 2025 and identity based attacks bypassing perimeters, IAM hardening is foundational.

Looking Ahead

Security researchers project ransomware evolution over the next 6 to 12 months will be dominated by five major trends reshaping the threat landscape.

AI-powered ransomware will surge 75% in sophisticated attacks. Generative AI creates hyper-convincing phishing campaigns with localized accents and company-specific context. Gartner predicts 17% of total cyberattacks will involve generative AI by 2027.

Fragmented ransomware landscape replaces dominant groups, marking the end of large, stable ransomware-as-a-service operations. The traditional model is "irreversibly tarnished" due to infighting, deception, and law enforcement penetration. The 70 active groups in the first quarter of 2025 will proliferate further.

Multi-extortion becomes standard practice with 85%+ of attacks involving data theft plus encryption plus additional leverage. Organizations must assume stolen data will be weaponized regardless of ransom payment.

Reduced dwell time compresses detection windows to hours. Organizations must detect and respond within minutes to hours. Human-in-the-loop decision-making is too slow for compressed timelines.

Edge device and zero-day exploitation continues unabated. VPN concentrators, remote management tools, firewall appliances, and collaboration platforms provide instant privileged access. Zero-day window compressed to hours between disclosure and exploitation.

Additional critical predictions include cloud and SaaS targeting accelerating 50%+ in 2025, law enforcement impact concentrating attacks on small and medium businesses, regulatory pressure on ransom payments intensifying, IoT and operational technology ransomware expansion threatening human safety, and wiper malware proliferation as nation-state actors increasingly deploy destructive attacks.

Gartner's stark prediction: by 2029, first ransomware attack on implantable medical devices with ransom paid to save human life. Financial impact of cyber-physical system attacks causing casualties could exceed $50 billion by 2025 to 2026.

The strategic pivot is clear: prepare for a distributed, unpredictable threat environment where resilience trumps prevention, backups are non-negotiable, and speed of response measures in hours, not days. Ransomware isn't an IT problem. It's an operational continuity crisis threatening organizations' ability to function. The time to act is now.