Understanding the Current Ransomware Landscape

Posted on March 25, 2025 by Greg McDonough

Cybersecurity is currently seeing a troubling spike in the number, and severity, of ransomware related cybercrimes. Over the past few years, the reported incidents have exploded with Black Kite reporting, “attacks nearly doubling from 2,700+ in 2022 to nearly 4,900 in 2023,” and Security Magazine noting that in Q4 2024, “2,247 ransomware extortion publications were reported, a 46% increase from Q3 2024.” Part of the reason for this meteoric rise is the increasing sophistication of the ransomware attacks and the growing efficiency of the attackers themselves. While it is easy to focus solely on the financial ramifications of ransomware, bad actors are increasingly targeting industries such as education, healthcare, and transportation, which have far-reaching impact on the lives of many. There are no simple solutions to preventing ransomware, but becoming familiar with the approaches, techniques, and goals of ransomware attackers should be the first step towards strengthening any system.

What’s New in Current Ransomware Trends?

It can be difficult to accurately assess the prevalence of cybercrimes due to the fact that many organizations prefer to deal with attacks privately when possible. However, the Cyentia Institute was able to create a comprehensive study analyzing over 14,000 ransomware events containing over a billion data records. While it is worth reading the full report, there are a few key findings that work together to create a bleak picture of the ransomware landscape. One of the more staggering conclusions is that “ransomware was behind 32% of all security incidents and 38% of financial losses from cyber events reported over the last five years.” While these numbers speak for themselves, it is jarring to realize that roughly one third of all successful cybercrimes and over a third of the cybersecurity industry’s losses stem from ransomware. The report also points out that ransomware is responsible for a little over half of the attacks on the manufacturing sector and around 80 %of the cyber losses in the manufacturing, education, and transportation industries. In terms of growth, the losses from ransomware have grown by over 140 times in the last ten years.

Are Ransomware Attacks Growing More Sophisticated?

The statistics clearly show that ransomware is becoming one of, if not the, most dominant forms of attack in the cybersecurity industry. There are actually a few different reasons for this trend. The first is the growing ease with which bad actors can gain access to software that allows them to penetrate systems and encrypt an organization’s data. Whereas these attacks used to be isolated due to their technical demands, it is now possible for individuals with significantly less skill to buy fully functional kits from places like the dark web. In addition to these isolated bad actors, the profitability of ransomware has created highly efficient teams of attackers that operate with the methodology of organized crime. Groups like Clop and Ransom hub often employ the ransomware-as-a-service (RaaS) model which involves distributing attack kits and programs to independent contractors, who are often paid a fee for their role. These bad actors often gain initial access to a system through phishing campaigns or by exploiting zero day vulnerabilities. Some of these attacker groups often will employ double-extortion tactics where they not only encrypt, but also download their victims’ data, allowing them to apply pressure by threatening to release sensitive information in addition to denying access. This can escalate even further with a triple-extortion approach that involves an additional threat vector such as a distributed denial-of-service attack (DDoS) or leveraging the stolen data to ransom or intimidate clients, partners, and other affected individuals.

What Are the Most Common Attack Vectors?

Cybercriminals employ a number of tactics in their ransomware attacks. These are some of the most common things to look for:

Phishing: As is true with so many forms of cyberattack, phishing is often the initial attempt to gain access to a system. Beware of any suspicious emails that request personal information such as passwords and usernames.
Vulnerable Software: Unpatched and non-updated software often provide vulnerabilities that attackers can exploit to bypass security measures and gain access.
Remote Desktop Protocol (RDP) Exploits: Remote Desktop Protocol is embedded in Microsoft Windows as a means of providing support by allowing technicians the ability to remotely view and control a Windows computer. Attackers have found numerous ways to exploit this protocol and capture sensitive data or install their own malicious software.
Supply Chain Attacks: Attackers are constantly probing for the weakest defenses, which can often be found in the systems of smaller, less-secure partners that have access to a target’s system.

What Are the Best Prevention and Mitigation Strategies?

While there is no single line of defense that can protect against ransomware, these steps can be employed to lessen the likelihood of suffering a ransomware incident.

Regular Backups: Maintaining a regular backup schedule will help to create a resilient system that minimizes the impact of a ransomware attack and reduces the time before normal operations can be restored.
Employee Training: Educating employees on how to recognize, avoid, and report cybersecurity attacks is one of the most important steps towards securing any system.
Endpoint Detection and Response (EDR) and Antivirus Software: Up-to-date antivirus software helps to automatically repel most attacks. When an incident does occur, EDR software helps to quickly recognize threats and automatically respond with countermeasures designed to neutralize the attack and mitigate further damages.
Network Segmentation: Segmenting networks ensures that when penetration occurs, the attackers are limited in their ability to move laterally throughout the system, thus minimizing the severity of the attack.
Incident Response Planning: It is a matter of when, not if, a system will be compromised. Well, thought out incident response planning makes certain that all parties know their roles and procedures are in place to restore systems as quickly as possible.
Zero Trust Security: Zero Trust security systems ensure that users and devices are thoroughly vetted before gaining access to a system. This type of architecture is a significant deterrent to many would-be attackers.

Why Is Proactive Cybersecurity Key?

Ransomware is currently exploding in terms of the number of attacks and the severity of the financial losses that it inflicts. These sophisticated attacks are increasingly perpetrated by organized crime syndicates that distribute ready-made malware and often employ independent contractors to increase the number of their attacks. Although every system will eventually become susceptible to some form of cyberattack, it is necessary to be proactive in regard to ransomware and any other form of attack. The first step should always be to stay up to date and educated on the latest trends and methods of cybercriminals. The library at RSAC provides invaluable insights from industry leading experts on everything cybersecurity related.

Contributors

Greg McDonough

Cybersecurity Writer, Freelance

Hackers & Threats

hackers & threats ransomware zero day vulnerability zero trust phishing supply chain

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC™ Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.