Latest Predictions for Ransomware Threats Facing Businesses in 2025
In the ever-changing world of cybersecurity, ransomware continues to pose a significant threat. According to David Dunn, EMEA head of the cybersecurity practice at FTI Consulting, the ransomware landscape is rapidly transforming, with a notable splintering of the ecosystem.
Three groups that have recently joined and engaged in ransomware-as-a-service (RaaS) are Hive, Royal, and LockBit. Meanwhile, prolific groups like Clop and Termite have become adept at exploiting internet-facing software and services.
The emergence of numerous smaller ransomware operations, such as Akira, DragonForce, and Qilin, has filled the void left by the decline of major RaaS groups. These smaller operations, often referred to as lone wolf attacks, have increased over the past 18 months.
The ransomware landscape is not only evolving in terms of who is operating, but also in the methods used. Adversaries are increasingly taking advantage of unpatched software to launch attacks. They are also moving away from encrypting data, as companies are improving their backups, and instead focusing on the data breach aspect of ransomware to extort victims.
The average ransom amount has steadily increased through 2025. However, Chainalysis data from February 2025 shows a 35% overall decrease in total volume of ransom payments. This decline could be due to better preparedness and insurance changes.
The underground market on the dark web is thriving, with a growing demand for credentials to EDR consoles or testing services. Adversaries are spending time and resources on being able to evade endpoint detection and response (EDR) tools.
The distinction between initial access brokers, affiliates, and core operators has become increasingly blurred. This blurring of lines is a testament to the adaptability of ransomware groups in the face of increasing scrutiny and crackdowns.
Ransom payment bans are being mooted in multiple countries, which is starting to affect the number of firms paying ransoms. Regular staff training, updates, and alerts can help keep employees vigilant against evolving threats.
Despite the challenges, the ransomware as a service (RaaS) model remains a dominant force in the cyber threat landscape. The Dragonforce RaaS operation, for instance, has made headlines following retail breaches against M&S and the Co-op.
In conclusion, the ransomware threat is far from over. It continues to evolve, and so must our defences. Stay vigilant, stay informed, and stay prepared.
