Ransomware Landscape Shifts in 2025 as Threat Actors Adapt to Declining Payments
The ransomware ecosystem underwent significant transformation in 2025, as financial pressures forced threat actors to evolve their tactics. Once a lucrative criminal model, ransomware operations faced historic lows in payment rates and average demands, driven by improved victim recovery efforts. According to CoveWare, ransom payment rates hit a record low in Q4 2025, while Sophos reported a one-third drop in average ransom demands from $2 million in 2024 to $1.34 million in 2025. Nearly half of victims successfully restored data from backups in 2024, up from just 11% in 2022, undermining the leverage attackers rely on for extortion.
Google Cloud’s Threat Intelligence Group (GTIG), analyzing Mandiant incident response data across Asia Pacific, Europe, North America, and South America, identified REDBIKE as the most prevalent ransomware family in 2025, accounting for nearly 30% of observed attacks surpassing previous leaders LOCKBIT and ALPHV, which each held 17% in 2023. The ransomware-as-a-service (RaaS) market also saw major disruptions, with law enforcement dismantling operations like LockBit, ALPHV, Basta, and RansomHub. However, groups like Qilin and Akira quickly filled the void, contributing to a 50% increase in victim posts on data leak sites compared to 2024.
A notable shift in targeting emerged, with threat actors increasingly focusing on smaller organizations with weaker security postures, rather than large enterprises. GTIG warned that declining ransom profits could push some actors toward alternative revenue streams, such as phishing campaigns or secondary monetization of compromised infrastructure.
Data theft emerged as a dominant extortion tactic, with 77% of ransomware intrusions in 2025 involving confirmed or suspected exfiltration a sharp rise from 57% in 2024. Attackers frequently stole sensitive files before encryption, threatening to leak them even if victims restored systems from backups. Common exfiltration tools included Rclone (28% of incidents), WinRAR (23%), FileZilla, WinSCP, and cloud platforms like MEGA, OneDrive, and Azure. Targeted data often included legal documents, HR records, accounting files, and business development materials to maximize negotiation leverage.
The findings underscore a more aggressive and adaptive ransomware threat landscape, where financial pressure drives innovation in extortion methods and targeting strategies.
Source: https://cybersecuritynews.com/google-warns-ransomware-actors-are-shifting/
Redbike Software cybersecurity rating report: https://www.rankiteo.com/company/redbike-software
"id": "RED1773771855",
"linkid": "redbike-software",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['Asia Pacific',
'Europe',
'North America',
'South America'],
'type': ['Small organizations', 'Enterprises']}],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Legal documents',
'HR records',
'Accounting files',
'Business development '
'materials']},
'date_detected': '2025',
'date_publicly_disclosed': '2025',
'description': 'The ransomware ecosystem underwent significant transformation '
'in 2025, as financial pressures forced threat actors to '
'evolve their tactics. Once a lucrative criminal model, '
'ransomware operations faced historic lows in payment rates '
'and average demands, driven by improved victim recovery '
'efforts. Threat actors shifted focus to smaller organizations '
'with weaker security postures and increasingly used data '
'theft as an extortion tactic. The ransomware-as-a-service '
'(RaaS) market saw disruptions, with law enforcement '
'dismantling major operations, but new groups emerged to fill '
'the void.',
'impact': {'data_compromised': 'Sensitive files including legal documents, HR '
'records, accounting files, and business '
'development materials'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Improved backup strategies and recovery efforts reduced '
'ransomware leverage, but threat actors adapted by '
'shifting to data theft and targeting smaller '
'organizations. The RaaS market remains resilient despite '
'law enforcement disruptions.',
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'root_causes': ['Declining ransom payments due to '
'improved backup strategies',
'Law enforcement disruptions of '
'major RaaS operations',
'Shift in targeting to smaller '
'organizations with weaker '
'security']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$1.34 million (average in 2025)',
'ransom_paid': 'Record low payment rates in Q4 2025',
'ransomware_strain': ['REDBIKE',
'LOCKBIT',
'ALPHV',
'Qilin',
'Akira']},
'recommendations': ['Strengthen backup and recovery strategies',
'Enhance monitoring for data exfiltration tools (e.g., '
'Rclone, WinRAR, FileZilla)',
'Improve security postures for smaller organizations',
'Prepare for alternative extortion tactics beyond '
'encryption'],
'references': [{'date_accessed': '2025', 'source': 'CoveWare'},
{'date_accessed': '2025', 'source': 'Sophos'},
{'date_accessed': '2025',
'source': 'Google Cloud’s Threat Intelligence Group (GTIG)'},
{'date_accessed': '2025',
'source': 'Mandiant incident response data'}],
'response': {'recovery_measures': 'Nearly half of victims restored data from '
'backups'},
'threat_actor': ['REDBIKE',
'LOCKBIT',
'ALPHV',
'Qilin',
'Akira',
'LockBit',
'Basta',
'RansomHub'],
'title': 'Ransomware Landscape Shifts in 2025 as Threat Actors Adapt to '
'Declining Payments',
'type': 'Ransomware'}