Ransomware groups are increasingly developing their own custom toolkits, while the RaaS (Ransomware-as-a-Service) model remains the predominant framework for attacks.

According to Kaspersky’s International Anti-Ransomware Day, the groups are developing toolkits to increase the effectiveness of their attacks and avoid detection.

Toolkits typically include exploitation tools, lateral movement tools and password attack tools that are tailored to specific targets or industries. “By creating proprietary tools, these groups reduce their reliance on widely available, detectable exploits and maintain control over their operations,” Kaspersky’s researchers said.

“This in-house development also facilitates frequent updates to counter defences and exploit new vulnerabilities, making their attacks more resilient and harder for cybersecurity measures to mitigate.”

Escalating Sophistication

According to other recent research from Bitsight, ransomware attacks increased by 25 percent in 2024, while the number of ransomware group leak sites rose by 53 percent. Dov Lerner, staff threat researcher at Bitsight, said the fragmentation caused by smaller, more agile gangs is leading to more attacks on mid-sized organisations.

“The 25 percent surge in active ransomware attacks signals escalating sophistication of attackers and an increasingly complex threat landscape,” he said Dov Lerner.

“Combating these evolving threats requires more than layered defences—it demands continuous visibility into exposed assets, insights into emerging threats, and the ability to prioritize action based on real-world risk.” 

That rise in ransomware sophistication was also noted by the CSIS Spring 2025 Threat Matrix Report. It noted that ransomware groups such as Akira, Play, and BlackLock continued to exploit vulnerabilities in enterprise environments, with a particular focus on VMware ESXi systems and backup infrastructure. 

However it also saw a decline (35 percent year-over-year) in ransomware payments throughout 2024. 

Lower the Bar

By using the RaaS model, the technical barrier is lowered for users, and enables less-skilled actors to execute sophisticated attacks. The use of LLMs is further amplifying ransomware's reach and impact as these also lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less skilled actors to craft highly convincing lures or automate ransomware deployment. 

The research also found that cyber-criminals are increasingly prioritising data exfiltration alongside - or sometimes instead of, encryption - focusing on stealing sensitive information. Encryption is still widely used, but the rise of double and triple extortion tactics shows a strategic pivot.

Layered Approach

Sam Peters, chief product officer at ISMS.online, said Anti-Ransomware Day should be an opportunity for organisations to consider adopting a layered cybersecurity approach, and a company-wide co-ordinated defence strategy.

“The dynamic nature of current ransomware threats means organisations can’t expect to tackle this threat by investing in a single cybersecurity application,” he said. "They need to design and implement a multi-layered, company-wide cybersecurity strategy that provides effective solutions for tackling each step of the ransomware process.

“This should include cybersecurity awareness training to ensure employees spot phishing and social engineering attack attempts early, the use of a managed detection and response solution and data backups to enable organisations to recover quickly after a ransomware attack.”

Edward Lewis, CEO of CyXcel, pointed at the UK Government’s recent ransomware payment ban, saying the proposals matter as they represent an attempt to take a bolder path.

Lewis said: “However, the Government’s goal is bigger than just cutting off funds to cyber-criminals. It's about signalling that the UK is raising the cost of doing business for ransomware gangs, while also forcing organisations to move from a reactive response to proactive systemic resilience.

“With this, businesses must recognise that ransomware isn't just an IT threat, it's an operational risk; and for many sectors, especially those reliant on operational technology such as energy, manufacturing, healthcare and transportation, the stakes are much higher.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.