Full Report
Smaller crews piled in as old names splintered and rebranded Ransomware payments cratered in 2025, but it seems like the cybercrooks launching the attacks didn't get the memo.…
Analysis Summary
# Incident Report: 2025 Ransomware Surge Amid Payment Decline
## Executive Summary
The year 2025 saw a significant surge in ransomware attacks, marking the most active year on record for claimed victims, despite a 8% year-over-year decrease in total on-chain ransom payments collected by threat actors. This indicates a fragmentation of threat groups ("smaller crews splintered and rebranded"), higher median ransom demands, and a thriving market for initial network access which sets up future incidents.
## Incident Details
- Discovery Date: Throughout 2025 (Report published Feb 2026)
- Incident Date: Primarily during Calendar Year 2025
- Affected Organization: Numerous organizations globally, including high-profile targets like Jaguar Land Rover (implied impact)
- Sector: Manufacturing, Financial Services, Professional Services, Government, Critical Infrastructure (US), Supply Chains/Logistics (CA, DE)
- Geography: Global focus, heavily targeting Developed Economies (US leads, followed by Canada, Germany, UK, Western Europe)
## Timeline of Events
### Initial Access
- Date/Time: Varies throughout 2025; spikes often preceded by IAB activity by ~30 days.
- Vector: Sale of pre-existing network footholds by Initial Access Brokers (IABs).
- Details: IABs facilitated access, with recorded on-chain payments exceeding $14 million in 2025, suggesting a highly commercialized entry point for ransomware affiliates.
### Lateral Movement
- Details: Not explicitly detailed, but the jump in victim counts suggests successful enterprise penetration following initial access purchases.
### Data Exfiltration/Impact
- Date/Time: Throughout 2025
- Details: Increased use of extortion involving publicizing data (leak site pressure rose). The overall volume of attacks increased by 50% YoY in claimed victims.
### Detection & Response
- Date/Time: Varies per incident. The shift resulted in 72% of victims *not* paying the ransom in 2025.
- Details: Many organizations opted not to pay (payment rate dropped to 28%), implying that detection and successful resilience/dispute resolution occurred, or the perceived payout risk was too high for the threat actor group.
## Attack Methodology
*Note: Specific techniques are inferred from the context of the ransomware ecosystem described.*
- Initial Access: Purchase of footholds from Initial Access Brokers (IABs).
- Persistence: Not explicitly detailed, but necessary for successful encryption/exfiltration.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Not explicitly detailed, but implied success given the 50% rise in successful claims.
- Credential Access: Not explicitly detailed.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed.
- Collection: Implied data collection leading to data leak site exposure/extortion.
- Exfiltration: Implied data exfiltration associated with double/triple extortion tactics.
- Impact: Data encryption (ransomware) and public disclosure/shaming (leak sites).
## Impact Assessment
- Financial: Total payments fell to $820 million (8% YoY decrease), but the median demand jumped significantly from $12,738 (2024) to $59,556 (2025).
- Data Breach: Increased number of organizations subjected to data exposure/extortion pressure across all major sectors in the US.
- Operational: Increased operational disruption due to the highest volume of attacks ever recorded.
- Reputational: Significant reputational hits evidenced by highly publicized incidents (e.g., Jaguar Land Rover implied incident).
## Indicators of Compromise
*Note: No specific IoCs were provided in the article, only contextual behavioral patterns.*
- Network indicators: Spikes in IAB payment transactions often precede US victim leak posts by ~30 days.
- File indicators: N/A
- Behavioral indicators: Significant volume increase in public ransomware attacks; observed shifts in threat group composition (fragmentation/rebranding).
## Response Actions
- Containment measures: Implied successful containment by the 72% of victims who did not pay the ransom.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed, but organizations relying on backups or paying lower amounts were able to recover data.
## Lessons Learned
- The ransomware ecosystem is pivoting from major named groups to smaller, opportunistic actors utilizing specialized entry points (IABs).
- Reduced willingness to pay does not equal reduced threat; volume of attacks increased dramatically.
- The commercialization of initial access (the IAB market) is a major precursor to ransomware events.
## Recommendations
- Invest heavily in threat intelligence focusing on IAB activity and early warning signs, as this access is being readily packaged and sold.
- Enhance detection capabilities to manage higher volumes of distinct (though potentially less sophisticated) threat groups.
- Review incident response plans to account for the high likelihood of encryption/extortion, given that the majority of victims are refusing payment.