Thanks to intensified activity on the part of law enforcement agencies worldwide – resulting in the shutdown of highly profitable and destructive ransomware-as-a-service (RaaS) groups such as LockBit – we’ve seen some encouraging signs within the ongoing fight against ransomware threats. Annual ransomware payment totals fell from $1.25 billion in 2023 to $813.55 million last year.
Meanwhile, the global year-to-year rise in the rate of these attacks is on the decline, with 5,289 incidents in 2024, up 15 percent from 4,591 in 2023. But, that percentage increase is significantly lower than the 77 percent increase seen in 2023 (2,593 attacks in 2022). So, the overall incident growth rate appears to be leveling off somewhat.
However, it’s no time to get complacent. In our own research, we’ve found that ransomware variants grew to 101 in 2024, up from 70 in 2023. This rise in variants remains a foreboding indicator of accelerated attacks to come, signifying rebranding efforts on the part of cybercriminals. They’re responding to law enforcement activity with craftier variants and more precisely targeted campaigns aimed at victims with deep pockets. As a result, they’re boosting their efficiency and efficacy.
Director of Intelligence Collections Management at Intel 471.
Ransomware-as-a-service
With the rise of RaaS over the years, cybercriminals now work much like a business, leveraging a subscription-based market in which customers (most commonly referred to as affiliates) pay for software created by ransomware operators, for the purpose of launching attacks.
By its very nature, RaaS has lowered the barrier to entry because customers no longer need to be experts in coding. They can simply pay for the product to launch their ransomware campaigns, and their subscriptions typically entail full-service offerings of software support, malware and infrastructure. Such a model created a strong incentive for more cyber actors, who are perhaps less skilled or experienced, to join the ransomware landscape, as long as they agreed to share a cut of the ransom with the RaaS operator, of course.
Key trends
If this sounds like a high-level, enterprise approach to crime, well, that’s because it is. Subsequently, we’re seeing the following key trends reshaping the very essence of the ransomware experience in 2025 – trends that can help victims make better decisions as they assess whether to proceed with payment negotiations or not:
(Dis)honor among thieves
Among cyber attack techniques, ransomware stands out because there are inevitably person-to-person interchanges, those which often touch upon human emotions and elements of trust. Or mistrust.
Victims, already rattled by the reality of the situation, find themselves in dialogue with the ransomware operator and must evaluate whether the operator will make good on terms if the ransom is paid. “What do we know about this group?” victim organizational leaders will ask. “Do they seem too aggressive? Are they pressuring us without any intention of deleting the data they stole, or never bothering us again? Or do they have a track record of respecting negotiated agreements?”
The weaponization of data
RaaS groups aren’t just stealing victims’ data. They’re weaponizing it as a means to increase the pressure to pay. They will now go through financial records, cyber liability limits and additional information to determine whether a victim is positioned to pay – and how much.
Artificial intelligence (AI) tools enable them to explore further at a larger scale, such as the exploitation of human resources (HR) records to reach employees and/or senior executives and tell them that their records have been compromised. With this, the RaaS operator tries to apply pressure on employees and executives to convince their organization to pay the ransom.
Outsourcing and automation
RaaS operators are fully capable of using the same tech and personnel management tools as legitimate companies. Outsourcing allows them to rebrand quickly if they feel the heat around the corner. They can put people and resources in place with a spinoff group and then migrate to the new brand when they have to make the current one “disappear” to avoid getting arrested.
Automation will enhance efficiencies and expand the scale of victim targeting and payments. Instead of communicating with targeted organizations person-to-person, a chatbot instantly will direct organization members to a log-in page, and they’ll use a transaction number to process payment and secure the stolen information.
Deal or no deal?
Ultimately for victims, ransomware comes down to one simple proposition: Deal or no deal? This is a highly individualized decision, based upon the size of the organization, industry, and the potential consequences of taking a “no payment” position.
But the more companies know about the RaaS operator, the better informed their choices. If they know the background of the operator and how adept they are at deploying AI and additional resources to “go deep” within their environment – then they’ll have a stronger sense of likely outcomes of paying or not paying. If they’re aware that the “new” group which compromised them is actually a spinoff of an old one, then they can research the reputational history of the former brand.
Given that AI and automation should only dramatically expand the capabilities of the RaaS underworld as a collective whole, organizations will need to stay on top of these trends to make the best decision for their teams.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Services Marketplace – Listings, Bookings & Reviews