The Evolving Ransomware Landscape: trends and Threats in 2025
Ransomware remains a dominant force in the cyber threat landscape, but it’s evolving. A important shift is underway, with a growing number of cybercriminal groups prioritizing data exfiltration and extortion without encryption. This trend, emerging throughout 2024, shows no signs of slowing down.
This article provides a thorough overview of the current ransomware situation, outlining key trends, active threat actors, and vulnerable sectors. We’ll equip you with the knowledge too understand the changing tactics and bolster your institution’s defenses.
The Rise of Extortion-Onyl Attacks
Traditionally, ransomware attacks involved encrypting a victim’s files and demanding payment for the decryption key. Now, many groups are opting for a “pure extortion play.” They steal sensitive data, then threaten to leak it publicly unless a ransom is paid.
Traditional Approach: Encryption + Data Exfiltration + Double Ransom (Decryption & Leak Prevention)
New Approach: Data Exfiltration + Threat of Leakage + Single Ransom
Groups like World Leaks (formerly Hunter’s International) are leading this charge, demanding ransom without ever touching encryption. ransomhub and emerging groups like Weyhro are also experimenting with this tactic. this shift suggests attackers are finding extortion alone to be a profitable and efficient method.
The Impact of Generative AI
Generative artificial intelligence (GenAI) is beginning to play a role, though its adoption is still limited. Ransomware gangs are leveraging AI to automate tasks and improve efficiency.Specifically, we’re seeing early use in:
Phishing Template Creation: AI can rapidly generate convincing phishing emails, increasing the success rate of attacks.
Automation of Reconnaissance: AI tools can assist in identifying potential targets and gathering details.Funksec, a group that surfaced in late 2024, is particularly noteworthy. They may have been involved in developing the WormGPT model, a concerning AI tool designed for malicious purposes.While widespread adoption of AI in ransomware is not yet here, it’s a space to watch closely.
Key Ransomware Groups to Watch
FlashPoint’s analysis of the first six months of 2025 reveals several highly active ransomware groups:
- Akira: 537 attacks
- Clop/Cl0p: 402 attacks
- Qilin: 345 attacks
- Safepay Ransomware: 233 attacks
- RansomHub: 231 attacks
However, several other groups deserve your attention. DragonForce, a UK-based cartel, has gained notoriety for recent high-profile attacks against major organizations like marks & Spencer and co-op Group. You should be aware of their tactics and potential targeting.
Geographic and Sectoral Trends
Understanding were attacks are concentrated and which sectors are most vulnerable is crucial for proactive defense.
Geographic Distribution (First Half of 2025):
United States: 2,160 attacks (substantially higher than any other nation)
Canada: 249 attacks
Germany: 154 attacks
United Kingdom: 148 attacks
Brazil, Spain, France, India, Australia: Also experiencing notable activity.
Most Targeted Sectors:
Manufacturing: 22% of attacks
Technology: 18% of attacks
Retail: 13% of attacks
Healthcare: 9% of attacks
Business Services & Consulting: 8% of attacks
These statistics highlight the need for heightened vigilance across all sectors, but particularly within manufacturing, technology, and retail.
Emerging Tactics: Victim Recycling
FlashPoint has observed a disturbing trend: ransomware gangs are increasingly recycling previous victims. Data stolen from one organization is being re-exploited and appearing on different forums, even long after the initial attack. This indicates a complex and opportunistic approach to maximizing profit from stolen data.
Protecting Your Organization
The ransomware landscape is dynamic and requires a layered security approach. Consider these steps:
* regular Data Backups: Implement a robust backup strategy with offline storage.
