The ransomware landscape is changing rapidly as new arrests are made and prolific groups are taken down. Some things remain the same, such as the constant stream of attacks taking advantage of ransomware.
But several new trends are emerging such as the fragmentation of the ransomware ecosystem, as well as major groups like the Dragonforce ransomware-as-a-service (RaaS) operation making headlines following retail breaches against M&S and the Co-op.
Following on from ITPro’s look at the top new ransomware groups to look out for, here are the biggest ransomware trends in 2025 so far.
Persistence of RaaS and changes in the ecosystem
It’s been around for a while, but the ransomware as a service (RaaS) model remains a dominant force in the cyber threat landscape, according to experts. Despite large law enforcement operations targeting groups including LockBit and BlackCat RaaS has not disappeared, says David Dunn, EMEA head of the cybersecurity practice at FTI Consulting.
Dunn tells ITPro the crackdown on major RaaS operations has resulted in a “notable splintering” of the ransomware ecosystem. “The era where two or three RaaS operators controlled the majority of incidents appears to be over – at least for now. The distinction between initial access brokers, affiliates and core operators has become increasingly blurred.”
This has led to a more fragmented, but “still very active” threat environment, he says.
With the decline of major RaaS groups, numerous smaller operations such as Akira, DragonForce, and Qilin have stepped in to fill the void, says Dunn. “Their tactics tend to be more aggressive and less constrained by the traditional norms that previously deterred attacks on certain sectors such as healthcare.”
Data encryption on the decline
Traditionally, ransomware attacks see adversaries encrypt the data they steal, forcing firms to pay up if they want to get business back up and running. But companies are getting wise to this and as a result, backups are improving.
This is driving cybercriminals to change tactics. The data breach aspect of ransomware is becoming the prominent method to extort victims – rather than offers to decrypt data, says David Sancho, senior threat researcher at Trend Micro. “It used to be the case that the victim would pay a ransom for data decryption, but this is less common now. Instead, the victims tend to have better data backups.”
Changing financial impact
Ransom payment bans are being mooted in multiple countries, and this is already starting to have an impact on the number of firms actually paying up.
Although the overall rate of ransom payments has declined, possibly due to better preparedness and insurance changes, the average ransom amount has steadily increased through 2025, says Dunn. This suggests that while fewer victims are paying, those who do are facing higher financial demands.
In general, payment of ransoms has continued to drop year on year, says Gavin Knapp, cyber threat intelligence principal lead at Bridewell. “This is potentially linked to increased legislation around ransomware and tougher sanctions being placed on ransomware and cybercrime related entities.”
This is supported by Chainalysis data from February 2025, showing a 35% overall decrease in total volume of ransom payments, which the firm attributed to stronger action by law enforcement, international collaboration, and greater hostility to paying on the part of victims.
Lone wolf attacks and vulnerabilities
Ransomware attacks are traditionally carried out by groups, but a new trend is seeing so-called “lone wolves” operating in the market. There is a growing threat of ransomware attacks carried out by individuals or very small groups, says Allan Liska, a threat intelligence analyst at Recorded Future. “The lone wolves eschew the traditional RaaS model and operate independently in a bid to fly under the radar of the authorities.”
Lone wolves or individual ransomware affiliates going alone has steadily increased over the past 18 months, says Knapp. He thinks this could be due to the fear of becoming the victim of an exit scam, where the RaaS operation ends without paying the affiliates their share. “The prevalence of leaked tools and RaaS source code has also made it much easier for attackers to go it alone or stand-up their own ransomware group.”
Attackers are increasingly taking advantage of unpatched software to launch ransomware attacks. Groups such as Cl0p and Termite have become proficient in exploiting internet-facing software and services, says Knapp. “Performing vulnerability research and developing or acquiring exploits for software gives them the ability to compromise a large number of victims in one campaign, which increases the likelihood of receiving a bigger payout.”
The more time attackers can spend inside systems undetected, the more damage they can cause. It is with this in mind that groups and affiliates continue to spend time and resources on being able to evade endpoint detection and response (EDR) tools, says Knapp. “Numerous tools have emerged that allow ransomware groups to disable or blindside detection," he explains. "These tools take advantage of native software features to disable or blunt their capabilities, while others leverage vulnerable drivers to be able to terminate EDR processes.”
There’s a thriving underground market on the dark web. Credentials to EDR consoles or testing services are openly bought and sold on forums and private messaging platforms, says Jim Walter, senior threat Researcher at SentinelLABS. “We’re seeing services pop up where adversaries can even trial their ransomware against real-world defences in semi-private labs.”
How to respond to the latest trends
Ransomware is constantly evolving, but there are steps firms can take to prevent and mitigate attacks.
With adversaries taking advantage of unpatched vulnerabilities to compromise systems, it’s important to prioritize patching of public-facing devices urges Brandon Tirado, director of threat research at ReliaQuest.
At the same time, reinforce multifactor authentication (MFA) with additional controls and require verification for reset requests, says Tirado. “Social engineering is one of the oldest hacking techniques, yet it remains highly effective. IT help desks with weak verification processes can be exploited to bypass MFA through simple reset requests.”
Overall, mitigating ransomware should be a company-wide effort. An effective means of defence is making sure employees know what they are up against, says Liska. “Regular staff training, updates and alerts can help keep staff vigilant against evolving threats.”
-
Should workers prepare to become AI agent bosses?In-depth Tech leaders claim employees could soon be managing AI agents – but this will require a huge culture shift, security awareness and governance
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
