
Top Ransomware Statistics and Recent Ransomware Attacks [2025]
- 7 minutes to read
Table of Contents
What Is Ransomware?
Ransomware is a type of malicious software that encrypts files or locks users out of their systems, demanding a ransom payment to restore access. It targets both individuals and organizations, often causing significant operational and financial damage.
Once ransomware infects a system, it typically begins encrypting files using strong encryption algorithms. Victims then receive a message explaining how to pay a ransom, usually in cryptocurrency, to get a decryption key. Some variants also threaten to leak stolen data if the ransom is not paid.
Ransomware spreads through phishing emails, malicious attachments, compromised websites, or vulnerabilities in exposed systems. Modern strains often include features like network propagation, allowing them to spread across connected devices quickly.
This is part of a series of articles about Information Security
Key Ransomware Statistics in 2025
Ransomware attacks continued to escalate in 2025, both in volume and complexity:
- Coalition, an active insurance provider, noted that the average ransomware insurance claim rose 68% to $353,000.
- According to Cyble, the number of reported ransomware incidents in the U.S. increased by 149% year over year in the first five weeks of 2025, with 378 attacks compared to 152 during the same period in 2024.
- BlackFog also identified a surge, noting 92 disclosed incidents in January 2025 alone—a 22% increase over the previous year—and identified 32 distinct ransomware groups operating during that period.
- 92% of industries recognized ransomware as a primary threat, based on Verizon’s 2024 Data Breach Investigations Report.
- Sophos found that 59% of organizations experienced ransomware attacks in 2024.
- Chainalysis estimated that ransomware payments reached $813.55 million in 2024.
- Sophos reported that average ransom payments jumped from $400,000 in 2023 to $2 million in 2024.
New Tactics and Vulnerabilities
Attackers are also using more aggressive tactics. Triple extortion methods—where data is encrypted, exfiltrated, and then used to threaten public exposure—have been increasingly adopted by threat groups like Vice Society. Supply chain attacks have expanded the blast radius of individual compromises, as seen in high-profile incidents involving Progress Software’s MoveIt Transfer and the SolarWinds and Kaseya breaches.
Finally, phishing remains the dominant entry point. The rise of generative AI has made it easier for attackers to craft convincing phishing lures, contributing to the increase in successful initial access. Ransomware as a service (RaaS) has also lowered the barrier for entry, enabling more actors to participate using prebuilt toolkits and infrastructure.
The State of Ransomware Attacks
Recent ransomware attacks have been relentless, with widespread impact across industries. Threat actors caused major service disruptions, data breaches, and operational shutdowns. Here are key incidents and the damage they caused:
RansomHub attacks:
- Breached MetLife’s Latin American division, claiming 1TB of exfiltrated data.
- Targeted American Standard, alleging the theft of 400GB of corporate data.
- Hit Community Health Northwest Florida, disrupting patient services and stealing 68GB of sensitive data.
- Infiltrated the Musicians Institute, claiming 1TB of stolen data including invoices and personal documents.
Healthcare sector hits:
- Richmond University Medical Center: Attack affected 670,000+ individuals; major service outages followed.
- Sunflower Medical Group: Rhysida claimed 3TB of data, including IDs, insurance cards, and databases.
- Excelsior Orthopaedics: Monti ransomware gang compromised data of 357,000 people.
- BayMark Health Services: RansomHub claimed 1.5TB of stolen patient and staff data.
- Hospital El Cruce: Medusa stole 760GB of medical data and demanded $200,000 in bitcoin.
Education sector disruptions:
- PowerSchool: Massive breach impacted 6,505 school districts; attackers claimed data on over 62 million students and 9.5 million teachers.
- Addison Northwest School District: Servers taken offline; ThreeAM claimed responsibility.
- Riverdale Country School: RansomHub claimed 42GB of data theft with a five-day ransom deadline.
- South Portland Public Schools: Attack forced network shutdown, affecting operations.
Government and municipal targets:
- Slovakia’s Land Registry Office: Ransomware crippled critical public services.
- Montréal-Nord Borough: Rhysida threatened to auction stolen government files if a $1 million ransom wasn’t paid.
- South African Weather Service: RansomHub caused system outages over multiple days.
- City of West Haven: Qilin claimed breach; city’s systems were shut down and partially restored.
Major corporate breaches:
- Stark Aerospace: INC group claimed to steal 4TB of military and engineering data, including UAV design files.
- DEphoto (UK): Omid16B exfiltrated customer photos, credit card data, and 555,000+ personal records.
- Peikko Group (Finland): Akira claimed 30GB of internal documents, HR records, and financial data.
- Mission Bank (California): RansomHub claimed theft of 2.7TB of employee and customer financial data.
Other notable incidents:
- City Bank PLC (Bangladesh): Funksec exploited a session flaw to access client financial statements.
- Telefónica (Spain): Hellcat infiltrated Jira systems, stealing 500,000 internal records and employee data.
- Avery Products Corporation: Breach impacted over 60,000 individuals; credit card and personal data stolen.
- Thomas Cook India: Ransomware attack disrupted IT systems; investigation ongoing.
In my experience, here are tips that can help you better stay ahead of the ransomware threat landscape in 2025:
- Use identity-first segmentation instead of network-only controls: Move beyond basic network segmentation by segmenting based on user identity and role. Contextual access enforcement (based on identity, risk, and behavior) ensures better containment when ransomware hits identity-linked services like SharePoint or cloud drives.
- Pre-stage gold images for rapid bare-metal recovery: When ransomware hits infrastructure, full reinstallation might be faster than cleanup. Maintain hardened, signed base images for all critical systems—including hypervisors and management consoles—for rapid bare-metal redeployment.
- Use canary documents with telemetry for breach detection: Seed fake documents such as financial spreadsheets or HR files across key shares. Monitor access and exfiltration attempts using embedded beacons or behavioral SIEM event triggers that correlate identity, behavior, and access timing. This provides early indicators of attacker reconnaissance without relying on an XDR platform which may only see the issue on the endpoint with limited remediation capabilities.
- Monitor shadow IT and SaaS usage for exfiltration vectors: Attackers increasingly use cloud storage accounts such as MEGA or Dropbox for data exfiltration. Use CASB tools or secure web gateways with app discovery, and correlate that telemetry in the SIEM with user behavior, risk context, and identity attributes. This enables earlier detection and response without requiring an extended detection platform.
- Track anomaly in backup system telemetry, not just success rates: Monitor for sudden spikes in backup job sizes, missing backup logs, or delayed backup windows. These behaviors can indicate pre-encryption staging activity or lateral movement. Use behavioral analytics in the SIEM to correlate these signals with identity access and timeline anomalies across the environment for faster detection and containment.
How to Protect Against Ransomware in 2025
Here are some of the main ways that organizations can protect themselves from ransomware attacks.
1. Implement a Zero Trust Architecture
A zero trust model treats every request as potentially hostile, regardless of origin. It requires strict identity verification, device validation, and context-aware access policies. Identity must be validated through multi-factor authentication (MFA), ideally with phishing-resistant methods like FIDO2 or hardware tokens.
Devices should be checked for compliance—such as endpoint protection status, OS patch level, and location—before access is granted. Use network segmentation to isolate workloads, and enforce policy-based access via software-defined perimeters. Continuous monitoring is crucial: analyze session behavior in real time and revoke access when anomalies are detected.
2. Maintain Thorough Backup Strategies
Effective backups require more than regular snapshots. Encrypt backups at rest and in transit to prevent tampering, and store them in physically and logically isolated locations—preferably in WORM (write once, read many) formats or air-gapped environments. Diversify the company’s backup types: use full, differential, and incremental backups to optimize recovery speed and storage efficiency.
Implement automated backup verification routines that check file integrity, hash consistency, and restoration feasibility. Document and rehearse full restore scenarios across operating systems, databases, and virtual environments. Also ensure that backup systems themselves are hardened and not reachable from standard enterprise networks or AD domains targeted by ransomware actors.
3. Deploy Advanced Threat Detection Tools
Ransomware actors move fast, often encrypting systems within hours of initial access. To counter this, use tools that provide deep visibility into endpoint, network, and cloud activity.
SIEM platforms with behavioral analytics should be used to flag behaviors like rapid file renaming, bulk file access, and unexpected privilege escalation.
Use deception technologies (honeypots or decoy files) to detect lateral movement. Behavior-based SIEM tools should monitor for signs of command and control (C2) traffic, anomalous data transfers, and lateral SMB scanning. Integrate SIEM with SOAR platforms to allow automated containment, like disabling accounts, blocking IPs, or isolating machines, all without requiring bundled XDR.
Learn more in our detailed guide to threat hunting
4. Ensure Comprehensive Patch Management
Prioritize patching based on threat intelligence, CVSS scores, and exploit availability. Maintain a real-time inventory of all hardware, software, and firmware in the environment. Apply patches in structured waves: test in sandboxed environments, deploy in pilot groups, then expand to production.
For high-risk CVEs exploited in the wild, accelerate patch cycles and apply out-of-band fixes if necessary. Legacy systems that can’t be patched should be isolated using VLANs, firewall rules, and access proxies. Use configuration management tools like Ansible, SCCM, or Chef to enforce and audit baseline security settings. Track failed patch deployments and implement rollback plans to handle instability without leaving systems exposed.
5. Strengthen Email and Communication Security
Phishing is still the primary vector for ransomware. Use secure email gateways with AI/ML filtering, sandboxing, and threat intelligence integration. Apply URL rewriting and click-time protection to delay access to malicious links. Implement user-level threat detection to monitor interactions with phishing content and adapt training accordingly.
Limit external forwarding, enable email encryption, and disable macros by default in office documents. Communication platforms like Teams and Slack should also be monitored—ransomware groups increasingly use these to propagate internally. Train staff on incident reporting procedures, and reward early identification to build a strong reporting culture.
6. Develop and Test an Incident Response Plan
Build a ransomware-specific incident response playbook that includes detailed runbooks for common scenarios like endpoint encryption, exfiltration, or backup compromise. Include contact trees, legal notification timelines, and cryptocurrency payment decision protocols (if policy allows). Store hard copies and offline versions in case primary systems are inaccessible.
Conduct quarterly incident simulations involving IT, legal, compliance, and executive teams to test the plan under real-time pressure. Log and review each test’s outcomes to identify delays, confusion, or missing steps. Work with cyber insurance providers to align response processes with policy requirements, and ensure forensic and containment procedures are approved.
7. Engage in Threat Intelligence Sharing
Proactive defense requires access to the latest adversary tactics. Subscribe to multiple sources of threat intelligence, including commercial feeds (e.g., Mandiant, Recorded Future), government advisories (e.g., CISA, ENISA), and open-source projects (e.g., Abuse.ch, MalwareBazaar). Normalize and correlate data using STIX/TAXII protocols for integration into SIEM platforms.
Use TTPs and IOCs to hunt for threats within the environment. Participate in sector-specific forums like FS-ISAC, H-ISAC, or InfraGard to exchange insights with peers facing similar threats. Share anonymized incident data when possible—it helps the broader ecosystem prepare and may result in faster mitigation advice from vendors and partners.
Ransomware Protection with Exabeam
Exabeam enables early detection and fast response to ransomware by analyzing user and entity behavior across the entire environment. Instead of relying on static indicators or predefined rules, Exabeam applies advanced analytics to detect anomalies that signal the early stages of an attack. This includes unusual privilege changes, lateral movement, suspicious access to backup systems, and abnormal file activity.
The platform automatically builds timelines that connect related events, giving analysts the full context of an incident without manual correlation. Security teams can quickly see how an attack unfolded and take informed action.
Exabeam integrates with your existing tools including EDR, CASB, identity systems, and backup infrastructure. It enriches that data with behavioral insights and automates response through playbooks in the SIEM. This approach helps organizations stop ransomware without needing to adopt vendor-specific XDR platforms, giving them flexibility and control while improving detection coverage and response time.
Ultimately with the Exabeam New-Scale platform, customers have reported up to a 60% reduction in alerts, investigation times reduced by up to 80%, and the ability to respond to incidents like ransomware attacks are 50% faster than with other solutions. Automated threat timelines and behavioral analytics provide instant context, reducing manual effort and surfacing critical incidents more efficiently. With seamless integration, pre-built detections, and intuitive workflows, Exabeam helps organizations improve security outcomes, reduce operational costs, and potentially respond to threats in under an hour.
More Information Security Explainers
Learn More About Exabeam
Learn about the Exabeam platform and expand your knowledge of information security with our collection of white papers, podcasts, webinars, and more.
-
White Paper
Breaking the Rules: When Static Detection Logic Reaches Its Limits, What’s Next?
-
Blog
What’s New with New-Scale in October 2025: Measurable, Automated, Everywhere Security Operations
- Show More