Ransomware has solidified as the top cybersecurity threat of this decade. The Akamai Ransomware 2025 Report reveals an increasingly complex landscape, where the convergence of cybercrime, hacktivism, and artificial intelligence is redefining digital extortion tactics.
In 2024, ransomware attacks grew by 37% and accounted for 44% of global data breaches, with particularly high peaks in Asia-Pacific (51% of incidents) and notable impacts in Europe (27%) and Latin America (29%).
The role of AI and LLMs in new ransomware
Groups like FunkSec and Black Basta have integrated generative artificial intelligence (GenAI) and language models (LLMs) to enhance their campaigns:
- Automated creation of malicious code and ransomware variants.
- Negotiation chatbots that interact directly with victims.
- Hyper-realistic phishing and vishing impersonating corporate identities.
- Use of emerging tools like WormGPT and FraudGPT, democratizing the ability to launch advanced attacks without extensive technical expertise.
The clear consequence is a rise in scale, sophistication, and attack frequency.
From double to quadruple extortion
The report details how attacker tactics have evolved:
- Simple extortion: data encryption and ransom demand.
- Double extortion: additional threat to leak stolen information.
- Triple extortion: pressure on third parties (employees, partners, customers) or DDoS attacks to force payment.
- Quadruple extortion: leveraging regulatory frameworks against the victim by reporting alleged violations to official agencies.
A prime example is CL0P, which claimed 385 attacks in a few weeks in February 2025, setting a record. Meanwhile, Black Basta reached over 120,000 attack attempts in a single week, and LockBit continues activity despite police operations, with ongoing rebrands and reactivations.
RaaS ecosystem: ransomware as a service
The Ransomware-as-a-Service (RaaS) business model has transformed the landscape. Today, actors with limited technical knowledge can launch sophisticated campaigns using ready-made kits.
The ecosystem includes:
- Developers creating and updating malware.
- Affiliates executing attacks and negotiating ransoms (taking up to 90% of profits).
- Initial access brokers (IABs) selling access to vulnerable corporate networks.
This model, akin to legitimate software industries, has democratized ransomware and expanded its reach exponentially.
Hacktivism and ransomware: a blurred line
An emerging phenomenon is the convergence of financial cybercrime and ideological hacktivism. Groups like DragonForce, KillSec, and CyberVolf use ransomware not just for financial gain but also to fund political campaigns or destabilize governments.
Simultaneously, groups such as Head Mare, Twelve, and NullBulge have adopted ransomware as a tool for political and social disruption, leveraging even leaked versions of LockBit to target online communities, AI developers, and gaming platforms.
TrickBot: an old enemy still active
The report features TrickBot, linked to Wizard Spider and active since 2016. Originally a banking trojan, it now serves as a modular platform used as an initial vector in ransomware campaigns.
TrickBot has facilitated extortion worth over $724 million in cryptocurrency. Despite international operations by Europol and Eurojust in 2025 (Endgame 2.0), it continues to demonstrate resilience and capacity to regenerate.
Most affected sectors in 2025
Ransomware affects all sectors, but some are particularly impacted:
- Manufacturing: over 400 companies affected in early 2025, with average recovery costs of $1.7 million.
- Healthcare: average ransom of $860,000 and daily inactivity losses of $1.9 million.
- Public administration: attacks in the U.S., Brazil, and Indonesia caused essential service disruptions and multimillion-dollar demands.
- Education: schools and universities with outdated systems are easy targets; ransoms of up to $1.5 million have been recorded.
Costs and operational continuity
The damage extends well beyond paying the ransom:
- Average downtime of 21 days post-attack.
- Typical recovery costs in 2024: around $2.73 million, excluding ransom payments.
- Impact on reputation, customer trust, and regulatory compliance (GDPR, HIPAA).
- Risk of permanent closure for companies without solid continuity plans.
How to boost resilience
The report advocates a multi-layered mitigation framework:
- Zero Trust Architecture: microsegmentation to prevent lateral movement.
- Secure, tested backups: isolated from the main network.
- Real-time AI-based detection: capable of countering attacker speed.
- Perimeter and API security: protecting against zero-day vulnerabilities.
- Continuity and cyber insurance plans: increasingly common, with global premiums projected to reach $23 billion by 2026.
The key message: adopt a mindset of “assuming compromise”—believe the attack will happen and prepare the organization to resist and recover swiftly.
Conclusion
Ransomware in 2025 is more sophisticated, industrialized, and diversified than ever before. The rise of AI has lowered entry barriers and increased attack effectiveness. The only effective response for companies, governments, and organizations is to enhance resilience, combining prevention with early detection, and accepting that total defense is no longer feasible.
The challenge isn’t just avoiding an attack but surviving it without the organization failing.
Frequently Asked Questions (FAQs)
What is quadruple extortion in ransomware?
It’s a tactic where, beyond encrypting data, stealing information, and threatening DDoS, attackers pressure victims by reporting supposedly regulatory violations (such as GDPR or HIPAA) to authorities, amplifying damage.
Which groups are most active in 2025?
CL0P, LockBit, Black Basta, FunkSec, and RansomHub lead the list, with hybrid hacktivist groups like DragonForce and KillSec also prominent.
Why is ransomware as a service (RaaS) discussed?
Because many groups sell or rent ransomware kits on the dark web, enabling affiliates without extensive technical skills to run campaigns and share profits.
What measures help resist ransomware attacks?
Implementing Zero Trust, microsegmentation, isolated backups, business continuity plans, and AI-powered detection solutions are among the most recommended strategies outlined in the 2025 Akamai report.
More information at Akamai.