Ransomware is the name given to a specific kind of malicious software that is designed to lock victims out of their systems or encrypt their data, making them inaccessible, after which attackers will demand a hefty ransom in exchange for restored access of for the decryption key.
Ransomware spreads in much the same way as other types of malware; through compromised websites, vulnerabilities in the software and, of course, phishing emails. It can pose a serious threat to organizations of all sizes and industries due to the way it operates, which includes disrupting operations, causing data loss, and potentially leading to financial and reputational damage.
In this article, we will explore key statistics and emerging trends in the world of ransomware, looking into the current state of the market, how ransomware-as-a-service works, the groups and strategies used, and how ransomware is impacting organizations today. Understanding more about ransomware and how it functions in today’s cyber landscape is useful for taking steps to preemptively protect yourself against it.
General Market Statistics
- In 2025, the market size for ransomware protection is estimated at $25.3 billion USD
- This is projected to reach $61.8 billion by 2030 with a CAGR of 19.5%
- By region, North America holds the largest share of the ransomware protection market. Europe also has a relatively high share of this market
- The following factors have been identified as drivers of the ransomware protection market:
- Increased company digitization, especially for critical industries (which are attractive targets)
- Rise of more advanced malware strains and Ransomware-as-a-Service (RaaS) schemes
- Prevalence of cryptocurrency, which is the type of payment threat actors typically ask for due to its – untraceable nature
How Ransomware-as-a-Service works
Ransomware-as-a-Service (RaaS) has become a viable attack model in recent years. This type of setup isn’t too far off from how most lawful SaaS vendors work, and it involves two main parties:
- Operators – develop and support malware / ransomware tools. Typically have more technical expertise. Main benefit for them is being able to make money from others carrying out attacks on their behalf instead of having to seek out targets manually.
- Affiliates – launch ransomware attacks on targets using tools developed by other people. Typically have less technical expertise. Main benefit for them is the ability to make money from ransom payments without needing to build their own tools from scratch.
Under this scheme, affiliates will compensate operators for access to their tools. Possible arrangements can include up-front payment, monthly subscriptions, or a percentage of the ransom on successful attacks. In return, operators may also provide their affiliates with technical support and other resources.
Ransomware Groups And Strategies
Bitisight’s State of the Underground 2025 report provides a deep dive into the ever shifting and increasingly complex cybercrime landscape, offering actionable insights and analysis.
- Ransomware attacks rose by almost 25% in 2024, and the number of ransomware group leak sites rose by 53%.
- Data breaches posted on underground forums increased by 43%, with US organizations making up nearly 20% of total breaches.
- 384 unique varieties of malware were sold in 2024, an increase from 349 in 2023.
- Compromised credit cards for sale rose nearly 20% in the past year, due exclusively to a surge in US cards.
- Research from Check Point has found that in Q1 of 2025, 74 distinct ransomware groups publicly claimed victims on Data Leak Sites (DLS). These groups collectively reported 2,289 victims, which was more than double the number (1,011) disclosed in the same period last year. This is a year-over-year increase of 126%.
- The most prolific ransomware actor during this time was Cl0p. They are especially known for a campaign that revolved around exploiting new zero-days in Cleo managed file transfer products. The next most active ransomware groups were RansomHub and Babuk-Bjorka.
- 55% of all reported ransomware victims were in the United States.
- Some ransomware groups may have regional preferences for who they target. The Medusa group has a higher activity rate relative to the rest of the world in the UK. The group Safepay has a higher relative activity rate in Germany. The vast majority of Cl0p’s targets are in the US.
- CheckPoint has identified the following factors driving the tactics of ransomware groups:
- Resources such as AI-assisted tools and leaked ransomware code making it easier for less experienced ransomware developers to join in
- Smaller ransomware groups scrambling to grab power after larger groups (ALPHV / BlackCat, LockBit, etc.) have faced significant operational disruptions (data leaks, arrests, domain seizures, etc.)
- LockBit faced a major breach in May of 2025, defacing their website and exfiltrating their data. Strained relationships between RaaS operators and affiliates
- After ALPHV’s / BlackCat’s $22 million ransomware attack on Change Healthcare, there was a major dispute after one of the affiliates was not paid their share of the ransom. This ended up being an exit scam ultimately signaling the group’s downfall.
Impacts Of Ransomware On Organizations
- According to research from Veeam, the average ransomware payment in Q1 of 2025 was $552,777 USD, while the median ransom payment at this time was $200,000.
- Over the past six quarters, the rate of companies that do pay ransoms has fluctuated between 25% and 35%.Organizations will normally pay ransoms for one of two reasons:
- To get access to decryption keys if their data is encrypted
- To prevent their organization’s data from being leaked online if it’s not encrypted
- The industries targeted most often for ransomware are healthcare (15.4% of cases), professional services (14.4%), and the public sector (12.5%).
- Verizon’s 2025 Data Breach Investigations Report found that ransomware was present in 44% of all the breaches reviewed. 64% of the victim organizations did not pay the ransoms, which was up from 50% two years ago.
To learn more about Ransomware, why not check out the following articles from Expert Insights?
