Ransomware Attacks Up 49% in 2025
BlackFog released its 2025 State of Ransomware Report on February 12, 2026, revealing a staggering 49% increase in ransomware attacks year-over-year, with threat actors shifting tactics toward encryption-less extortion, supply chain attacks, and AI-powered social engineering.
Key Findings
| Metric | 2024 | 2025 | Change |
|---|---|---|---|
| Total Ransomware Attacks | 5,234 | 7,798 | +49% |
| Double Extortion Attacks | 68% | 82% | +14pp |
| Encryption-Less Extortion | 12% | 31% | +19pp |
| Average Ransom Demand | $2.1M | $3.8M | +81% |
| Ransomware-as-a-Service Groups | 28 | 47 | +68% |
Evolving Attack Methods
1. Shift Away from Encryption
31% of ransomware attacks in 2025 involved pure data exfiltration without encryption. This represents a strategic shift:
Why Skip Encryption?
- Faster operations — No need to deploy ransomware binary
- Lower detection risk — No sudden file modification alerts
- Harder to recover — Victims can't restore from backups
- Legal pressure — Data breach disclosure laws force action
Impact on Victims
Traditional ransomware: "Pay to decrypt." Modern extortion: "Pay or we publish your data."
The latter is harder to defend against because:
- Backups don't help (data already stolen)
- Legal obligations to disclose breaches
- Reputational damage from data publication
2. Double Extortion Now Standard
82% of ransomware attacks in 2025 involved double extortion (encrypt AND steal data), up from 68% in 2024.
The Double Extortion Model
- Infiltrate — Compromise victim network
- Exfiltrate — Steal sensitive data
- Encrypt — Deploy ransomware
- Extort — "Pay or we publish AND you can't access your systems"
Triple and Quadruple Extortion
Emerging tactics include:
- Triple extortion — Target customers, partners, and employees directly
- Quadruple extortion — DDoS attack while ransom negotiations occur
3. Supply Chain Targeting
Ransomware groups increasingly attack third-party vendors to reach high-value targets:
Recent Supply Chain Attacks
| Vendor | Downstream Impact |
|---|---|
| Managed Service Providers (MSPs) | 100s of client breaches from single MSP compromise |
| Software vendors | Trojanized updates infect thousands |
| Cloud service providers | Multi-tenant compromise |
Why Supply Chain?
- One compromise, many victims — Maximum impact
- Less mature security — Vendors often have weaker defenses
- Trusted access — Vendors have legitimate access to client systems
Industry Impact Analysis
Most Targeted Sectors (2025)
| Industry | % of Attacks | Change YoY |
|---|---|---|
| Healthcare | 23% | +4pp |
| Finance | 18% | +2pp |
| Manufacturing | 16% | +5pp |
| Education | 14% | -1pp |
| Government | 12% | +3pp |
| Retail | 11% | +1pp |
| Other | 6% | -14pp |
Why Healthcare Leads
Healthcare remains the #1 target because:
- High-value data — Medical records sell for 10x more than credit cards
- Critical operations — Hospitals can't afford downtime
- Weaker security — Many healthcare orgs lack mature security programs
- Regulatory pressure — HIPAA violations add legal leverage
Ransomware-as-a-Service (RaaS) Growth
The number of active RaaS operations grew from 28 in 2024 to 47 in 2025, a 68% increase.
Top RaaS Groups (2025)
- LockBit — 892 attacks (11.4% of total)
- ALPHV/BlackCat — 743 attacks (9.5%)
- Play Ransomware — 623 attacks (8.0%)
- Cl0p — 578 attacks (7.4%)
- BlackBasta — 512 attacks (6.6%)
The RaaS Business Model
RaaS operates like legitimate software-as-a-service:
- Developers — Create ransomware tools
- Affiliates — Conduct attacks using the tools
- Revenue split — Typically 70/30 or 80/20 (affiliate/developer)
- Support infrastructure — Payment processing, leak sites, victim chat
This lowers barriers to entry, allowing less-skilled criminals to conduct sophisticated attacks.
AI-Powered Social Engineering
The report highlights AI-driven phishing as a key enabler:
How AI Enhances Attacks
| Technique | Traditional | AI-Enhanced |
|---|---|---|
| Email Phishing | Generic, obvious errors | Personalized, grammatically perfect |
| Voice Phishing (Vishing) | Human callers, limited scale | AI voice clones, infinite scale |
| Deepfake Video | Not feasible | Real-time video calls with fake executives |
Real-World Examples
- CEO Fraud — AI voice clone of CEO authorizes wire transfer
- Fake Zoom Meetings — Deepfake video calls to build trust
- Personalized Phishing — AI scrapes LinkedIn/social media to craft perfect lures
Financial Impact
Average Ransom Payments
- 2024: $2.1 million
- 2025: $3.8 million
- Increase: 81%
Total Ransom Payments (2025)
- Estimated total paid: $1.9 billion (up from $1.1 billion in 2024)
- Average downtime: 21 days per incident
- Total recovery costs (including forensics, legal, PR): $5.7 billion
Attack Trends: What's Changing
1. Initial Access Vectors
| Method | 2024 | 2025 |
|---|---|---|
| Phishing | 45% | 38% |
| Exploited Vulnerabilities | 28% | 35% |
| Compromised RDP | 18% | 12% |
| Supply Chain | 5% | 11% |
| Stolen Credentials | 4% | 4% |
Key Insight: Attackers are shifting from phishing to vulnerability exploitation, likely due to:
- Better email security (SEGs, anti-phishing training)
- More zero-days and N-days available
- Faster exploitation of disclosed vulnerabilities
2. Dwell Time Decreasing
- 2024 average dwell time: 16 days
- 2025 average dwell time: 9 days
Attackers are moving faster from initial access to encryption/exfiltration, reducing detection opportunities.
Defensive Strategies
What's Working
According to the report, organizations that avoided ransomware had:
- Immutable backups — Air-gapped, write-once-read-many (WORM)
- EDR deployment — Endpoint detection and response on all devices
- Network segmentation — Lateral movement containment
- Phishing-resistant MFA — Hardware keys, not SMS codes
- Patch management — Automated patching within 48 hours
What's NOT Working
Traditional defenses showing limited effectiveness:
- Antivirus alone — 73% of ransomware evades signature-based AV
- Perimeter firewalls — Attacks come from inside (phishing, RDP)
- Annual security training — Ineffective against AI-powered phishing
Recommendations for Organizations
Immediate Actions (High Priority)
- Test backups weekly — Ensure you can actually restore
- Deploy EDR everywhere — Endpoints, servers, cloud workloads
- Require phishing-resistant MFA — Hardware keys (YubiKey, Titan Key)
- Segment networks — Isolate critical systems
- Patch critical CVEs within 24 hours
Long-Term Strategy
- Implement Zero Trust architecture — Never trust, always verify
- Conduct ransomware tabletop exercises — Practice incident response
- Audit third-party vendors — Require security questionnaires and audits
- Invest in threat intelligence — Know which groups target your industry
- Consider cyber insurance — But read the fine print on ransomware coverage
The 2026 Outlook
BlackFog predicts:
- Continued growth in ransomware attacks (30-40% increase in 2026)
- More AI-driven attacks as tools become more accessible
- Ransomware targeting OT/ICS (operational technology/industrial control systems)
- Increased nation-state involvement in ransomware operations
- Stricter regulations on ransomware payments