10 Things You Need to Know About Ransomware in 2025

Ransomware is a type of malicious software that threat actors use to commit criminal extortion. And in 2024, those of us following ransomware trends saw an especially dynamic year. Early in the year, law enforcement operations disrupted stability and instilled paranoia in deep and dark web (DDW) marketplaces. This led to a notable shift in threat actors’ actions.

ZeroFox Intelligence observed at least 4,950 separate ransomware and digital extortion (R&DE) incidents in 2024. That's significantly more than the previous year. And as that number accounts primarily for incidents in which a victim has either failed to pay or remains in negotiations with the attacker, the true number is almost certainly significantly higher. 

In this article, we’ll cover the top ten things you need to know about ransomware in 2025 based on our team’s findings. If you’re looking for a full report and overview of ransomware in the past year, check out the ZeroFox Intelligence Assessment: 2024 Ransomware and Digital Extortion Overview.

What You Need to Know About Ransomware Today

1. The Attack Surface is Growing, Causing Increased Risk

Both enterprises and individuals have a substantial digital attack surface, which continues to grow in 2025. Think about the rapid uptake and integration of technologies, like cloud networking services and internet of things (IoT) devices, as well as the increase in remote working arrangements. This expansion creates a vast attack surface for threat actors to exploit with ransomware in 2025.

2. Law Enforcement Activities Have Changed the Threat Landscape

In late 2023 through early 2024, law enforcement operations disrupted any stability enjoyed by long-standing malicious actors. This was especially notable as LockBit, the most prominent threat actor collective in 2023, was responsible for a significantly lessened proportion of R&DE activity in 2024, due to law enforcement disruption operations. These operations also instilled a level of paranoia in DDW marketplaces, which led to a shift in threat actor tactics, techniques, and procedures (TTPs).

3. North America is the Most-Targeted Region

Over the past year, North America saw an average of approximately 58 percent of global R&DE attacks. Though numbers fluctuated by month, considering the long-term trend, North America was consistently the most-targeted region. Clearly, threat actors perceive North America as a region with an abundance of lucrative, high-payoff potential targets.

4. Opposition to “Western” Geopolitics is a Major Threat Actor Motivation

The increasingly complex geopolitical environment is intertwined with threat actor motivations. Many R&DE threat actors are based in regions that are opposed to “Western” geopolitics, international presence, and domestic activities. As mentioned above, North America is a major target. And threat actors could continue to perceive North America-based entities as fitting targets for ransomware in 2025.

5. The Manufacturing Industry is the Most-Targeted Industry

Much of the time, threat actors seek and exploit vulnerabilities across any organization using the affected software regardless of industry. However, the manufacturing industry accounted for approximately 17.7 percent of attacks globally last year. Together with retail, construction, professional services, healthcare, and technology, these industries have consistently been amongst the six most-targeted since as early as 2021. 

6. New R&DE Collectives Are Flourishing

By the end of 2024, the greatest R&DE threat to organizations was posed by a largely different slate of collectives than seen at the same time in 2023. ZeroFox identified 45 new R&DE collectives during 2024, compared to 35 in 2023. And the growing number isn’t the only thing that’s changed. Many of these collectives moved more rapidly, were more consistent, and posed a prominent threat faster than those in previous years.

7. A Larger Number of Collectives Are Responsible for Global Incidents

As new R&DE collectives have come into prominence, R&DE incident attribution has also diversified. During 2023, 50 percent of global R&DE incidents were attributed to just five collectives. And 75 percent of incidents could be attributed to 14 collectives. However, during 2024, 50 percent of global R&DE incidents were attributed to eight collectives, with 20 collectives responsible for 75 percent of global incidents.

8. RansomHub is the Prominent Threat Actor to Watch

Accounting for approximately 10 percent of all R&DE incidents ZeroFox observed in 2024, RansomHub very likely poses a greater threat to organizations across the globe than any other R&DE threat collective. Following the collective’s initial observation in February 2024 (during which they conducted approximately five separate attacks), the RansomHub went on to exhibit a sharp upward trajectory in attack tempo. This peaked in November 2024, with at least 97 attacks.

9. There is a Perceived Low Risk of Extradition and Prosecution for Threat Actors using Ransomware in 2025

You might ask yourself, why are R&DE attacks on the upswing? Despite diligent and proactive international law enforcement efforts, for threat actors perpetrating these cybercrimes, there is a continued perceived low risk of extradition and prosecution. The increasingly widespread use of cryptocurrencies has further enabled malicious activity, offering threat actors both anonymity and laundering options.

10. Much of R&DE Activity Remains Opportunistic

As prepared as you likely are (you’re taking the time here to do your research), and while location and industry are factors, much of R&DE activity is opportunistic. Threat actors continue to seek and exploit vulnerabilities across any organization using the affected software regardless of industry. There is also often a heavy reliance placed upon initial access brokers, leading to extortion collectives leveraging any illicit network access that can be brokered.

Looking Ahead to the R&DE Landscape in 2025

As observed in previous years, ZeroFox Intelligence predicts that there is a likely chance that Q1 2025 will see a slight reduction in R&DE activity compared to Q4 2024. However, 2025 will very likely be a prolific year for digital extortion. Prominent threat collectives continue to establish continuity, attract affiliates, and leverage the services offered by increasingly professionalized DDW forums, services, and marketplaces. Both new and existing collectives will almost certainly continue to test new TTPs during 2025 with goals to increase the chance of ransom demands being met.

Combat Ransomware in 2025 With Tips from ZeroFox Intelligence

• Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege. 
• Implement network segmentation to separate resources. 
• Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform detection of R&DE threats and their associated TTPs and Indicators of Compromise (IOCs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site or cloud servers at least once per year—and ideally more frequently. 
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management system and ensure all business IT assets are updated with the latest software as quickly as possible. 
• Proactively monitor for compromised accounts being brokered in DDW forums. 
• Configure ongoing monitoring for Compromised Account Credentials.

Note: All sources used in this post were identified prior to 9:00 AM (EST) on January 8, 2025. For the full report with additional data, see the ZeroFox Intelligence Assessment: 2024 Ransomware and Digital Extortion Overview.