Ransomware in 2025–2026: Evolving Threats, Rising Costs, and High-Profile Attacks
Ransomware remains a critical threat to governments, businesses, and critical infrastructure, disrupting healthcare, fuel distribution, retail, and identity security. Financial and operational impacts have intensified, with attackers refining tactics to maximize damage and extortion.
Key Ransomware Trends
-
Supply Chain Attacks – Threat actors increasingly target software vendors to compromise multiple downstream victims. Notable incidents include:
- 2023 MoveIt Transfer breach (Clop ransomware gang)
- 2021 Kaseya attack (1,500+ MSP customers affected)
- 2020 SolarWinds hack
-
Triple Extortion – Beyond encrypting data and threatening leaks, attackers now demand payment to prevent additional attacks. The Vice Society group used this tactic in its 2023 attack on San Francisco’s BART system. Leading ransomware groups like LockBit 5.0 now use private negotiation portals for targeted extortion.
-
Ransomware-as-a-Service (RaaS) – Cybercriminals lease pre-built ransomware tools and infrastructure, lowering the barrier to entry for attacks.
-
Exploiting Unpatched Systems – While zero-day vulnerabilities draw attention, most ransomware exploits known flaws in outdated software.
-
Phishing & AI-Driven Attacks – Phishing remains a primary infection vector, while generative AI enhances social engineering lures, reconnaissance, and attack automation.
Ransomware by the Numbers (2025)
- 44% of breaches involved ransomware (Verizon 2025 DBIR), a 37% increase from 2024.
- 88% of SMB breaches included ransomware, compared to 39% in large enterprises.
- 34% rise in attacks in the first three quarters of 2025 (Total Assure).
- 5,010 U.S. incidents in the first 10 months of 2025 a 50% increase from 2024 (Cyble).
- 85% of attacks go unreported (BlackFog).
- Median ransom payment: $267,500 (Palo Alto Networks 2025).
- Average ransom payment: $1 million (Sophos 2025), down from $2 million in 2024.
- Average insurance claim: $292,000 (Coalition 2025), a 7% decrease from 2024.
Notable 2024–2025 Ransomware Attacks
- PowerSchool (Dec. 2024) – Exposed data of 62M students and 9.5M teachers across North America.
- Yale New Haven Health (Mar. 2025) – Compromised 5.6M patient records; settled a class-action lawsuit for $18M.
- NASCAR (Apr. 2025) – Medusa ransomware gang stole 1TB of data and demanded $4M.
- DaVita (Apr. 2025) – 2.7M patients’ health data exposed by Interlock ransomware.
- Marks & Spencer (May 2025) – Pay2Key ransomware disrupted operations, contributing to a 90% profit drop.
- Ingram Micro (Jul. 2025) – SafePay ransomware caused service disruptions and revenue losses.
- Change Healthcare (2024) – Initially reported 100M+ victims; revised to 193M by mid-2025.
- LoanDepot (2024) – Attack disrupted loan services for 16.6M customers.
- MGM Resorts & Caesars Entertainment (2023) – High-profile attacks crippled Las Vegas casino operations.
Future Ransomware Predictions
- AI-Powered Automation – Attacks will become faster, more persistent, and harder to detect (Trend Micro).
- Voice-Based Vishing – AI-generated calls will rise as a social engineering tactic (Zscaler).
- Encryption-Free Extortion – More groups will skip encryption, relying solely on data theft threats (SentinelOne).
- GenAI-Enhanced Phishing – AI will enable more convincing, large-scale phishing campaigns.
Ransomware shows no signs of slowing, with attackers leveraging AI, supply chain vulnerabilities, and multi-layered extortion to escalate both frequency and impact.
Source: https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts
DaVita Kidney Care cybersecurity rating report: https://www.rankiteo.com/company/davita
Caesars Entertainment cybersecurity rating report: https://www.rankiteo.com/company/caesars-entertainment-inc
CHANGE HEALTHCARE LIMITED cybersecurity rating report: https://www.rankiteo.com/company/change-healthcare-limited
PowerSchool cybersecurity rating report: https://www.rankiteo.com/company/powerschool-group-llc
Kaseya cybersecurity rating report: https://www.rankiteo.com/company/kaseya
File Transfer Consulting, LLC cybersecurity rating report: https://www.rankiteo.com/company/file-transfer-consulting-llc
Marks and Spencer cybersecurity rating report: https://www.rankiteo.com/company/marks-and-spencer
SolarWinds cybersecurity rating report: https://www.rankiteo.com/company/solarwinds
NASCAR cybersecurity rating report: https://www.rankiteo.com/company/nascar
"id": "DAVCAECHAPOWKASFILMARSOLNAS1770898846",
"linkid": "davita, caesars-entertainment-inc, change-healthcare-limited, powerschool-group-llc, kaseya, file-transfer-consulting-llc, marks-and-spencer, solarwinds, nascar",
"type": "Cyber Attack",
"date": "12/2024",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'customers_affected': '62M students and 9.5M teachers',
'industry': 'EdTech',
'location': 'North America',
'name': 'PowerSchool',
'type': 'Education'},
{'customers_affected': '5.6M patient records',
'industry': 'Healthcare',
'name': 'Yale New Haven Health',
'type': 'Healthcare'},
{'industry': 'Sports',
'name': 'NASCAR',
'type': 'Sports/Entertainment'},
{'customers_affected': '2.7M patients',
'industry': 'Healthcare',
'name': 'DaVita',
'type': 'Healthcare'},
{'industry': 'Retail',
'name': 'Marks & Spencer',
'type': 'Retail'},
{'industry': 'IT Distribution',
'name': 'Ingram Micro',
'type': 'Technology'},
{'customers_affected': '193M victims',
'industry': 'Healthcare',
'name': 'Change Healthcare',
'type': 'Healthcare'},
{'customers_affected': '16.6M customers',
'industry': 'Finance',
'name': 'LoanDepot',
'type': 'Financial Services'},
{'industry': 'Gaming/Hospitality',
'location': 'Las Vegas',
'name': 'MGM Resorts',
'type': 'Hospitality'},
{'industry': 'Gaming/Hospitality',
'location': 'Las Vegas',
'name': 'Caesars Entertainment',
'type': 'Hospitality'}],
'attack_vector': ['Supply Chain Attack',
'Phishing',
'Exploiting Unpatched Systems',
'AI-Driven Attacks',
'Vishing'],
'data_breach': {'data_encryption': ['Yes (in some cases)'],
'data_exfiltration': ['Yes'],
'number_of_records_exposed': ['62M',
'9.5M',
'5.6M',
'1TB',
'2.7M',
'193M',
'16.6M'],
'personally_identifiable_information': ['Yes'],
'sensitivity_of_data': ['High'],
'type_of_data_compromised': ['Student records',
'Teacher records',
'Patient health data',
'Corporate data']},
'description': 'Ransomware remains a critical threat to governments, '
'businesses, and critical infrastructure, disrupting '
'healthcare, fuel distribution, retail, and identity security. '
'Financial and operational impacts have intensified, with '
'attackers refining tactics to maximize damage and extortion.',
'impact': {'data_compromised': ['62M students and 9.5M teachers (PowerSchool)',
'5.6M patient records (Yale New Haven Health)',
'1TB of data (NASCAR)',
"2.7M patients' health data (DaVita)",
'193M victims (Change Healthcare)',
'16.6M customers (LoanDepot)'],
'legal_liabilities': ['$18M class-action lawsuit settlement (Yale '
'New Haven Health)'],
'operational_impact': ['Disrupted loan services (LoanDepot)',
'Service disruptions and revenue losses '
'(Ingram Micro)',
'Profit drop (Marks & Spencer)'],
'revenue_loss': ['90% profit drop (Marks & Spencer)'],
'systems_affected': ['Healthcare',
'Fuel distribution',
'Retail',
'Identity security',
'Education',
'Casino operations',
'Loan services']},
'motivation': ['Financial gain',
'Extortion',
'Data theft',
'Operational disruption'],
'post_incident_analysis': {'root_causes': ['Unpatched systems',
'Phishing',
'Supply chain vulnerabilities',
'AI-driven attacks']},
'ransomware': {'data_encryption': ['Yes'],
'data_exfiltration': ['Yes'],
'ransom_demanded': ['$4M (NASCAR)'],
'ransomware_strain': ['Clop',
'Medusa',
'Interlock',
'Pay2Key',
'SafePay',
'LockBit 5.0']},
'references': [{'source': 'Verizon 2025 DBIR'},
{'source': 'Total Assure'},
{'source': 'Cyble'},
{'source': 'BlackFog'},
{'source': 'Palo Alto Networks 2025'},
{'source': 'Sophos 2025'},
{'source': 'Coalition 2025'},
{'source': 'Trend Micro'},
{'source': 'Zscaler'},
{'source': 'SentinelOne'}],
'regulatory_compliance': {'legal_actions': ['Class-action lawsuit (Yale New '
'Haven Health)']},
'threat_actor': ['Clop ransomware gang',
'Vice Society',
'LockBit 5.0',
'Medusa ransomware gang',
'Interlock ransomware',
'Pay2Key ransomware',
'SafePay ransomware'],
'title': 'Ransomware Trends and High-Profile Attacks (2024-2025)',
'type': 'Ransomware',
'vulnerability_exploited': ['Known flaws in outdated software',
'Zero-day vulnerabilities']}