Ransomware Landscape Shifts in 2025 as Cybercriminals Pivot to Data Extortion
Google Threat Intelligence’s 2025 ransomware report reveals a major transformation in cybercriminal tactics, driven by declining profits from traditional encryption-based attacks. With organizations improving their defenses nearly half of victims restored systems from backups in 2024 ransom payment rates hit a historic low by 2025. The average ransom demand also dropped by a third, falling from $2 million in 2024 to $1.34 million.
The ransomware ecosystem has faced significant disruptions, including law enforcement crackdowns and internal conflicts that dismantled prominent groups like LockBit, ALPHV, Basta, and RansomHub. These upheavals forced cybercriminals to adopt stricter vetting processes for affiliates. Despite these challenges, the threat landscape remains active, with groups like Qilin and Akira filling the void. Data-leak site posts surged by nearly 50% in 2025, with the REDBIKE ransomware family accounting for 30% of analyzed incidents.
Attackers continue to exploit vulnerabilities in firewalls and VPNs, particularly in products from Fortinet, SonicWall, and Palo Alto, which were used in a third of 2025 intrusions. Virtualization infrastructure, such as ESXi hypervisors, has become a prime target, involved in 43% of attacks up from 29% the previous year. Cybercriminals are also adopting cross-platform ransomware and leveraging AI for victim analysis, while decentralized Web3 networks help shield their operations.
As profits shrink, the report warns of a potential rise in aggressive extortion tactics in 2026.
Source: https://cyberpress.org/ransomware-shifts-to-data-theft/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall
Palo Alto Networks cybersecurity rating report: https://www.rankiteo.com/company/palo-alto-networks
"id": "FORSONPAL1773829502",
"linkid": "fortinet, sonicwall, palo-alto-networks",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'attack_vector': ['Exploiting vulnerabilities in firewalls and VPNs',
'Virtualization infrastructure (ESXi hypervisors)',
'Cross-platform ransomware'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_publicly_disclosed': '2025',
'description': 'Google Threat Intelligence’s 2025 ransomware report reveals a '
'major transformation in cybercriminal tactics, driven by '
'declining profits from traditional encryption-based attacks. '
'With organizations improving their defenses, nearly half of '
'victims restored systems from backups in 2024, and ransom '
'payment rates hit a historic low by 2025. The average ransom '
'demand also dropped by a third, falling from $2 million in '
'2024 to $1.34 million. The ransomware ecosystem has faced '
'significant disruptions, including law enforcement crackdowns '
'and internal conflicts that dismantled prominent groups like '
'LockBit, ALPHV, Basta, and RansomHub. These upheavals forced '
'cybercriminals to adopt stricter vetting processes for '
'affiliates. Despite these challenges, the threat landscape '
'remains active, with groups like Qilin and Akira filling the '
'void. Data-leak site posts surged by nearly 50% in 2025, with '
'the REDBIKE ransomware family accounting for 30% of analyzed '
'incidents. Attackers continue to exploit vulnerabilities in '
'firewalls and VPNs, particularly in products from Fortinet, '
'SonicWall, and Palo Alto, which were used in a third of 2025 '
'intrusions. Virtualization infrastructure, such as ESXi '
'hypervisors, has become a prime target, involved in 43% of '
'attacks (up from 29% the previous year). Cybercriminals are '
'also adopting cross-platform ransomware and leveraging AI for '
'victim analysis, while decentralized Web3 networks help '
'shield their operations. As profits shrink, the report warns '
'of a potential rise in aggressive extortion tactics in 2026.',
'impact': {'data_compromised': True,
'systems_affected': ['Firewalls',
'VPNs',
'Virtualization infrastructure (ESXi '
'hypervisors)']},
'lessons_learned': 'Organizations are improving defenses, leading to lower '
'ransom payment rates. Cybercriminals are shifting to data '
'extortion and exploiting virtualization infrastructure. '
'Law enforcement crackdowns have disrupted prominent '
'ransomware groups, but new groups are emerging.',
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'root_causes': ['Exploiting vulnerabilities in '
'firewalls and VPNs',
'Targeting virtualization '
'infrastructure (ESXi hypervisors)',
'Use of cross-platform '
'ransomware']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$1.34 million (average in 2025)',
'ransomware_strain': ['LockBit',
'ALPHV',
'Basta',
'RansomHub',
'Qilin',
'Akira',
'REDBIKE']},
'recommendations': 'Enhance backup and recovery strategies. Patch '
'vulnerabilities in firewalls, VPNs, and virtualization '
'infrastructure. Monitor for cross-platform ransomware and '
'AI-driven attacks. Prepare for potential aggressive '
'extortion tactics.',
'references': [{'source': 'Google Threat Intelligence’s 2025 ransomware '
'report'}],
'threat_actor': ['LockBit',
'ALPHV',
'Basta',
'RansomHub',
'Qilin',
'Akira',
'REDBIKE'],
'title': 'Ransomware Landscape Shifts in 2025 as Cybercriminals Pivot to Data '
'Extortion',
'type': 'Ransomware',
'vulnerability_exploited': ['Fortinet vulnerabilities',
'SonicWall vulnerabilities',
'Palo Alto vulnerabilities']}