Ransomware Landscape Shift in 2025
The ransomware threat landscape has entered a transformative phase in 2025, according to a recent report by Google. Historically, the business model relied heavily on file encryption and ransom payments. However, economic pressures have compelled ransomware operators to reevaluate their strategies. Key indicators show a significant drop in ransom payments and demands, leading to an evolution in tactics among threat actors.
Declining Ransom Payments and New Strategies
In the last quarter of 2025, ransom payment rates plummeted to unprecedented lows, as noted by data from CoveWare. Sophos highlighted a substantial decrease in average ransom demands, which fell from $2 million in 2024 to $1.34 million in 2025. The ability of nearly half of the victims to restore systems from backups in 2024, compared to just 11% in 2022, has further diminished the leverage of ransomware groups.
Despite these challenges, threat actors are not retreating but instead are adapting their methods. They are focusing on more sophisticated extortion techniques that are less reliant on encryption, making it harder for organizations to fend off such attacks.
Google’s Findings on Ransomware Trends
Google Cloud’s Threat Intelligence Group (GTIG) has been at the forefront of analyzing these shifts. Led by experts including Bavi Sadayappan and Zach Riddle, the team identified REDBIKE as the most prevalent ransomware family in 2025. REDBIKE accounted for nearly 30% of all attacks, surpassing previous leaders like LOCKBIT and ALPHV.
Major disruptions within the ransomware ecosystem have also been noted. Law enforcement actions and internal conflicts have weakened prominent RaaS operations like LockBit and ALPHV. However, new players such as Qilin and Akira have emerged, targeting smaller organizations with less robust defenses.
Data Theft as a Primary Extortion Method
A notable trend in 2025 is the rise of data theft as a main strategy for extortion. GTIG’s analysis revealed data exfiltration in approximately 77% of ransomware attacks, a significant increase from 57% the previous year. Attackers are now exfiltrating sensitive data before deploying encryption, threatening to release the information if demands are not met.
Tools like Rclone and WinRAR have been frequently used to transfer stolen data, with platforms like MEGA and Azure serving as destinations. Organizations are advised to employ strong data loss prevention (DLP) measures and monitor unusual file transfers closely to mitigate these threats.
Outlook and Recommendations
Given the shift in ransomware strategies, organizations should prioritize strengthening their cybersecurity measures. Implementing comprehensive DLP controls and maintaining visibility into endpoint activities are crucial steps. Staying informed on the latest trends and threats will help in preparing for future challenges in the cyber landscape.
