What is ransomware?

Ransomware is one of the most pervasive cybersecurity threats. It’s a variant of malware that encrypts data until attackers are paid a ransom, locking victims out of critical data until threat group demands are met.

Around the world, ransomware attacks are widespread and financially devastating. In 2025, 62.6% of organizations reported ransomware attacks per Statista data.

The financial stakes are also rising, with average ransom demands now exceeding $1.13 million according to data from Coveware by Veeam. The scale of these attacks has led governments and cybersecurity experts to reinforce their stance against paying ransoms, as doing so not only funds criminal enterprises but also increases the likelihood of repeated attacks. Of course, giving criminals what they want is not ideal.

Beyond financial damages, ransomware attacks can shut down enterprises, disrupt critical infrastructure, and even endanger lives – particularly in regards to health care organizations, where hospitals and medical providers have suffered major service outages due to encrypted patient records.

Meanwhile, ransomware groups have grown more sophisticated, adopting double extortion tactics, where they not only encrypt data but also threaten to leak sensitive information if their demands are not met.

How does ransomware work and what is it?

Ransomware is malware that encrypts files or locks users out of their systems, demanding payment – usually in cryptocurrency like bitcoin – to restore access. In most cases, it spreads via phishing emails, malicious attachments, software vulnerabilities, and compromised websites.

Increasingly, attackers are using supply chain breaches to infect multiple organisations at once, thus increasing their illicit gains.

The two main types of ransomware are: encryption-based, which scrambles files, requiring a decryption key, and Locker, which locks users out of their entire system.

To take a quick history lesson, ransomware dates back to 1989’s “AIDS Trojan”, but today’s versions are far more advanced. Ransomware as a service (RaaS) allows cybercriminals to sell or lease ransomware tools, making attacks more accessible. Major ransomware families over the past few years have included LockBit, BlackCat (ALPHV), and Cl0p, all of which caused mayhem.

Over time, tactics have evolved from simple encryption to double extortion, where attackers also threaten to leak stolen data. Some even use triple extortion, adding DDoS threats or direct harassment of victims.

Recent ransomware attacks – and who was targeted

Ransomware groups are constantly evolving. In 2025, Cl0p, Scattered Spider, Qilin, and Akira were among the most active and many smaller groups also emerged.

One of the most noteworthy examples of ransomware in recent years is the attack on Jaguar Land Rover that happened in September 2025, which became the most financially-damaging cyber attack in UK history. Over 5,000 organizations in the JLR supply chain were impacted.

LockBit has remained a dominant threat despite a global law enforcement crackdown in 2024, continuing to target organizations worldwide.

Cybercriminals are increasingly targeting critical infrastructure, financial institutions, and government agencies. The UK’s National Cyber Security Centre (NCSC) has described ransomware as “one of the most acute and pervasive cyber threats to UK organizations”.

Worryingly, state-sponsored ransomware attacks are also on the rise, with nation-backed hacking groups using ransomware as a tool for geopolitical disruption. CRINK nations – China, Russia, Iran, and North Korea are often behind such groups.

At the same time, cybercriminals are increasingly using AI-driven automation to scale attacks, making them more efficient and harder to detect. The rise of double and triple extortion tactics has made modern ransomware attacks even more destructive.

Should I pay the ransom?

Security experts have repeatedly urged organizations not to pay ransoms, as this funds continued activity by threat groups. Nevertheless, some businesses opt to pay up in the hope that they can quietly recover their data. It’s hard to capture exact numbers regarding ransomware payments, as firms don’t always report when they make the payments.

It’s not guaranteed that payments result in results: in February 2024, United Healthcare paid a $22 million ransom to the BlackCat ransomware group after a data breach. However, BlackCat disbanded shortly after the payment, and the stolen data was leaked anyway, proving that ransom payments do not always prevent further damage.

Ransomware payments are now at a record low, with payment rates now at 28% according to recent Chainalysis data.

Cyber criminals have also increased their use of double and triple extortion tactics, encrypting files while also threatening to leak data, launch DDoS attacks, or harass victims. Some firms, believing they can handle ransomware payments strategically, underestimate long-term consequences such as regulatory fines, reputational damage, and future targeting.

So far, the best defense against ransomware is prevention and response readiness.

Organizations should implement regular software updates, phishing awareness training, zero trust security models, and offline backups to prevent data loss. If attacked, companies should disconnect infected systems, report to authorities, and seek decryption tools rather than paying ransoms.

The UK government has reinforced its stance against ransom payments, recently banning payments for critical infrastructure and public services to discourage cybercriminal activity.

Ransomware remains one of the most persistent and damaging cyber threats, affecting businesses, critical infrastructure, and individuals worldwide. While attacks continue to evolve, recent trends show a decline in ransom payments as organizations become more resistant to extortion.

Increased law enforcement action, better cybersecurity defenses, and stricter policies have contributed to this shift. However, ransomware groups continue to refine their tactics, using double and triple extortion methods to pressure victims into paying. As long as ransomware remains profitable, cybercriminals will continue targeting vulnerable systems.

The best defense against ransomware is a proactive approach that combines strong security measures with a well-prepared incident response strategy.

Businesses should invest in cybersecurity training, implement zero trust security models, and maintain regular offline backups to reduce the risk of data loss. If an attack occurs, experts strongly advise against paying ransoms, instead recommending reporting incidents to authorities and using available decryption tools.