How Does the Ransomware Landscape Look for 2025?

Ransomware on the rise

The frequency of ransomware attacks have risen. In 2024 we saw an 11 percent rise in the number of listed ransomware victims versus 2023. And, when it comes to the number of active ransomware groups posting victims, there was an increase of 38 percent – creating a more complex landscape for security professionals to monitor.

In this increasingly busy landscape, it becomes even more vital for organizations to actively apply threat intelligence to inform their defenses.

With almost a hundred active ransomware groups in 2024, it is not enough for organizations to simply be aware of the gangs out there. They need to start to be discerning – narrowing down the groups that are most likely to impact them based on their activity and victimology. They then have to gather intelligence on their capabilities, tactics, techniques, and procedures (TTPs), and tools – and apply these learnings to their defensive measures.

In this blog we will dissect the current ransomware landscape and provide insights into what organizations can do to mitigate the risk of the threat.

The continuous threat of ransomware

Last year was marked by a major shift in the top ransomware groups. Some of the usual suspects such as BlackCat and Cl0p have dropped out of the top ranking, replaced by newer ransomware operations. It is noteworthy that, of the five top ransomware groups of the year, only LockBit has been active for more than three years. Incredibly, RansomHub – the most prolific group of the year – only emerged in February 2024.

While it could be argued that this is part of a long-standing tradition of new groups replacing the old (after all LockBit itself took the top spot vacated by Conti), another divergence this year is the rate at which new groups are emerging – which vastly outpaces the rate at which old groups are disappearing. According to our data, 24 ransomware groups ceased operation between 2023 and 2024. However, 49 new ransomware groups began posting victims for the first time last year. The result is a total of 94 ransomware groups that listed ransomware victims in 2024, a 38 percent increase on 2023 (68 groups).

The increase in the number of active ransomware groups has resulted in an 11 percent increase in the number of total victims posted in 2024 (5,728) compared to 2023 (5,081). As ever, it should be remembered that these are only the victims that ransomware groups have elected to list on their leak sites – and is almost certainly far smaller than the total number of organizations impacted by ransomware last year. As seen in our data, this trend is a reverse of what we observed mid-year, where we recorded an increase in ransomware groups but fewer victims.

Unfortunately, while there was a decrease in ransomware activity in the first half of 2024 (likely caused by major law enforcement action against LockBit) the total victim count more than rebounded in the second half of the year.

That is not to say that law enforcement action is futile. LockBit’s 2024 victim count (less than half that of 2023) shows that Operation Cronos had an unquestionable impact on its output. It is also very likely that BlackCat’s retirement was at least partly motivated by the coordinated disruption it experienced in late 2023 and the public example law enforcement made of LockBit. LockBit and BlackCat were the first and second most active ransomware groups of 2023, which shows an impressive drive by international law enforcement to go after the biggest players.

However, what the total results do show us is that ransomware capabilities are becoming more and more accessible in the criminal underground, leading to an increased number of smaller groups in operation. This creates challenges for security professionals, who have a more complex and dynamic ransomware landscape to make sense of and defend against.

Mitigate the threat of ransomware gangs

The ransomware landscape has become larger and more complex, necessitating a closer focus on threat intelligence from security teams.

When preparing for specific threats, security teams need to focus on the most likely adversaries. It is near impossible to prepare for dozens of ransomware groups at once, but if security teams can narrow it down to the four or five who target their industry, geography, or peers, and really understand how they launch their attacks, they can get ahead of those who are most likely to target them.

Ransomware monitoring tools that provide actionable insights modules allow security professionals to monitor ransomware group activity on the dark web.  These tools give investigators and analysts access to continuously updated intelligence on a ransomware gang’s latest tactics, known members, and victims, giving organizations visibility into which groups are most likely to attack their business so they can take defensive action.