Ransomware attacks are surging, with 59 percent of organisations hit by the data locking malware during the last year, according to Sophos The State of Ransomware 2024 report.  

It’s not surprising: ransomware is a lucrative business for attackers, with the average demand reaching $2 million and 94 percent of this being paid on average, according to the Sophos data. 

It shows no signs of slowing in 2025. The takedown of prolific ransomware group LockBit was one of the biggest stories of 2024, yet the gang has already returned in multiple different forms. Meanwhile, new groups have also entered the fray, including RansomHub, which experts warn could be set to cause havoc this year. 

Tackling ransomware in 2025 will also become more challenging as new technology such as artificial intelligence (AI) supercharges attacks. So, what developments can security leaders expect to see this year and what should they do to boost defences? 

Attacks will increase, despite takedowns

LockBit and other groups were badly hit in 2024, but attacks will still surge this year, experts say. “Despite law enforcement successes in early 2024, criminal groups will recover and intensify their activities,” says Ben Aung, CRO at Sage. 

Arvind Nithrakashyap, co-founder and chief technology officer of Rubrik predicts Ransomware-as-a-Service (RaaS) will evolve further, giving more adversaries the abilities to easily launch attacks. “RaaS will expand beyond malware, offering initial access brokering, data exfiltration and negotiation services.” 

RaaS platforms will also continue to lower the technical threshold for launching ransomware attacks, says Nithrakashyap. “This means more individuals or less technically skilled groups can engage in ransomware activities, increasing the volume of attacks. Organisations will need to develop new strategies to contend with this reality.” 

Attackers will adapt in line with defences

While organisations are becoming more resilient with better defences and backup strategies, ransomware attackers will adapt, says Stefan Tanase, cyber intelligence expert as CSIS. “Data leaks, once a powerful extortion tool, are becoming less impactful. 

“However, attacks that significantly disrupt business operations such as halting logistics or sales will drive higher ransom payments. The divergence between median and average ransom payments will highlight the varying impact of these attacks.” 

Ransomware attackers are continuously adapting their tactics in response to improved security measures, says Justin Kuruvilla, chief cyber security strategist at Risk Ledger. “What began with traditional extortion has now evolved into more complex iterations, including double, triple and even quadruple extortions where a victim’s clients are contacted to pressure the victim into payment.” 

Ransomware attacks are moving away from simple encryption towards “a more lucrative model” focused on data exfiltration and extortion, adds Matthias Held, technical programme manager at Bugcrowd.  

This shift is driven by increased defences against traditional encryption methods, he says. “Organisations have become better at mitigating ransomware infection, leaving attackers to rely on more sophisticated tactics for monetisation.” 

Payment bans will widen

The UK is currently planning a ban on ransom payments to apply to critical sectors and public sector bodies. Ransomware payment bans are often floated as “a bullet-proof solution”, but they are “a huge challenge for any government to successfully implement”, according to experts at cybersecurity firm Barrier Networks. 

“Payment bans are murky; they can hurt organisations and could potentially lead to them making payments to threat actors under the radar, which would result in a whole new area of online policing that would require significant money and time.” 

Instead, a more feasible approach might involve increased government support for ransomware victims, the company says. “Although it’s unclear exactly what form this support would take, we could see the introduction of ‘bounce-back’ loans, similar to those provided during the pandemic. These loans would mean governments would provide financial assistance to ransomware victims to help them rebuild their systems.” 

New players will enter the fray

Ransomware attacks “reached record highs” in the last quarter of 2024, with 13 new groups, including SafePay and FunkSec rapidly scaling their operations, says Ivan Khamenka, cyber threat intelligence analyst, ReliaQuest. 

Khamenka predicts that by the start of Q3 2025, BlackLock will overtake RansomHub as the most active ransomware group. “In the last quarter alone, BlackLock’s victim count skyrocketed by over 1,000 percent, and we’ve already seen before in similar gangs – including RansomHub – how rapid growth can propel a group from obscurity to dominance in just a few months.” 

Expect lesser-known ransomware gangs such as Hunters International to grow at “an expedited rate”, says Dr Darren Williams, CEO and founder, BlackFog. “As attackers’ use of AI continues to proliferate, their attack rate will allow them to work more efficiently and more successfully than we’ve seen before. 

“There’s no honour amongst thieves and the trend of ‘gang-hopping’ by individual cybercriminals between ransomware groups will further complicate attribution and containment efforts. Attackers will follow the money and choose financial gain over any allegiance to a group.” 

In 2025, Khamenka expects ransomware groups to increasingly adopt generative AI and large language models (LLMs) in their operations to automate and enhance critical tasks such as crafting convincing phishing emails and realistic deepfakes – and identifying zero-day vulnerabilities. 

“Activity on cybercriminal forums where ransomware groups operate reveals growing interest in using AI-driven tools, with discussions around deepfakes and AI-generated malware gaining traction.” 

Tackling ransomware in 2025 

Whatever happens in 2025, it’s important that firms ensure they are as resilient as possible to avoid being hit in the first place. To counter advancements in AI, training is key to avoid phishing attempts that can allow ransomware into the business.  

“Organisations must train end users to critically evaluate communications and verify identities, as AI-generated phishing attempts and deepfakes become more deceptive and sophisticated,” says Khamenka. 

Adversaries often take advantage of vulnerabilities in software, making it essential to get the cybersecurity basics right, including patching and multi-factor authentication (MFA). 

With this in mind, Aung advises: “Businesses should strengthen defences by continuing to focus on the highest impact security measures, such as patching, endpoint detection tools, MFA, privilege access management and employee awareness.”

Kate O'Flaherty Cybersecurity and privacy journalist