For over a decade, ransomware has remained one of the more pernicious cybersecurity problems that CISOs and their security teams face. Over the years, these cyber threats have damaged organizations’ infrastructure and networks, led to personal data leaks and allowed cybercriminals to pocket millions in ransom from victims.
Ransomware attacks have also forced CISOs and security leaders to rethink their defense strategies. In turn, these changes require new skills and training for cybersecurity professionals.
New research suggests, however, that the nature of ransomware and the tactics used by criminal groups are changing. Specifically, while attacks continue to increase, ransom payouts have begun to slowly decrease. Researchers believe several factors, including improved incident response, increased regulatory pressure and law enforcement actions, have contributed to these trends.
A February report by Chainalysis, a blockchain research firm, helps illustrate this trend. The firm’s research found that in 2025, ransomware gangs collected about $820 million in on-chain payments – an 8 percent year-over-year decline compared to 2024. During the same time, the number of reported attacks increased by 50 percent.
The Chainalysis report is also supported by other research that reached similar conclusions:
- A report by security firm Ontinue, which analyzed data from the second half of 2024 and the first quarter of 2025, found that ransomware attacks surged 132 percent despite a 35 percent drop in payments. With fewer ransomware payments, cybercriminals are shifting their strategies to compensate for the growing number of organizations that have strengthened their security posture.
- A survey posted by ransomware response firm Coveware, based on cases it investigated, found that the number of organizations that paid a ransom for any reason dropped from 25 percent at the end of 2024 to 20 percent at the end of last year.
These reports point to a changing cybercriminal landscape in which ransomware gangs are adapting their extortion and other schemes to continue profiting from these attacks.
“Ransomware today is best understood not as isolated attacks, but rather as an interconnected marketplace of access, infrastructure, and monetization services. In 2025, total on-chain payments remained relatively stagnant even as claimed attacks increased and median ransom sizes rose,” according to the Chainalysis report. “At the same time, coordinated law enforcement actions and sanctions increasingly targeted the infrastructure layer – including bulletproof hosting providers – increasing costs across both cybercrime syndicates and state-linked actors.”
Cybersecurity experts note that ransomware gangs and the cybercriminal ecosystem they support are evolving in an attempt to counter these security trends and keep their lucrative schemes going. This is why security and IT teams need to continuously adjust their approach and skill sets.
“Ransomware groups are evolving their tactics beyond phishing to include interactions with IT teams to elicit information to improve access, SaaS-based attacks, and even studying file-transfer technology for rapid exploitation and double extortion methods,” Nathaniel Jones, vice president for security and AI strategy and field CISO at security firm Darktrace, told Dice. “For IT administrators and practitioners, it is vital to prioritize your vulnerability management program and establish possible attack paths across your estate to prevent unauthorized access. This includes applying best practices across the business and wider IT teams.”
For cybersecurity pros, experts recommend studying new research as well as updating skills to rethink defensive strategies, understand the evolving attack surface and modernize security programs, such as deploying zero trust principles.
Why Paying Ransom Demands Doesn’t Pay
While payments are down, the research makes clear that ransomware and cybercriminal gangs can still inflict significant damage. The Chainalysis report points to a 2025 incident involving Jaguar Land Rover, which stopped production and caused about $2.5 billion in damage. Another attack that targeted kidney dialysis company DaVita Inc. led to the exposure of 2.7 million patient records and the loss of 1.5 TB of clinical data.
While paying ransom was once seen as a way to end an attack, experts note that over the last several years, organizations have seen fewer and fewer reasons to pay, especially since paying does not guarantee cybercriminals will return data. Giving in to ransom demands only perpetuates a cycle of criminal leverage and broken promises, said Heath Renfrow, co-founder and CISO of Fenix24, who added that when paying attackers, the results include:
- Data leaking anyway – sometimes months later – as extortion groups double-dip or sell the data despite prior agreements
- A return visit from the same threat actor, who now knows the organization is willing to pay
- The emergence of third-party victimization, where clients, partners or students are individually targeted
“Paying may provide a short-term illusion of control, but it undermines long-term recovery and resilience,” Renfrow told Dice. “Instead, the better path is investing in immutable backups, hardening identity infrastructure, and accelerating restoration timelines so organizations don’t have to choose between business survival and ethics. Remember: trusting cybercriminals is a losing bet.”
With fewer organizations willing to pay, cybercriminal gangs have reverted to other techniques. For example, the growth of ransomware-as-a-service marketplaces creates greater opportunities for threat actors, who no longer need to extract ransom payments to profit, as they can use subscription models to generate revenue from their ransomware development and deployment, Jones said.
“We have also seen ransomware tactics move away from traditional encryption-centric ransomware tactics toward more sophisticated and advanced extortion methods,” Jones added. “Rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.”
This surge in ransomware attacks, coupled with aggressive extortion tactics, reflects a critical transformation in the threat landscape and reinforces the industry view that ransomware has shifted toward extortion rather than simple data encryption.
“Despite the evolution in attack objectives, the underlying techniques for obtaining initial access remain largely constant,” Neko Papez, senior manager for cybersecurity strategy at Menlo Security, told Dice. “While the end goal may be data extortion or encryption, the browser remains the primary attack surface, and a robust browser security strategy is essential to prevent these highly evasive threats from ever reaching the endpoint.”
Ransomware Changes Require New Skills
With ransomware attacks increasing, payments decreasing and cybercriminals changing tactics, cybersecurity pros must also adjust their skill sets and knowledge base to keep up and remain relevant as the career market shifts.
Trey Ford, chief strategy and trust officer at Bugcrowd, noted that regardless of the type of ransomware used in an attack, foundational security controls still matter, and cyber pros need to understand them.
“Knowing your total attack surface and testing your environment with an eye toward efficient remediation is key. Enterprise controls, including visibility such as logging and endpoint detection and response, and hardening through privileged account management, careful inventory of service accounts and multi-factor authentication for domain administration and remote access, are paramount,” Ford told Dice.
Other experts also note that understanding and mastering issues such as identity and privileged access can further strengthen cyber professionals’ defensive capabilities.
“To effectively deal with ransomware and other threats, we need to invest in shifting left and think more about securing identities and access to reduce our attack surface and blast radius in the event of compromise, rather than thinking post-breach,” James Maude, field CTO at BeyondTrust, told Dice. “Ransomware and other threats are only as effective as the privileges and access they manage to acquire, so if we can implement better hygiene and focus on least privilege, then threat actors are far less likely to ransom us in the first place.”
While artificial intelligence has dominated cybersecurity discussions, many industry leaders believe that using zero trust principles remains the most effective strategy to prevent a ransomware attack or at least detect an incident early enough to limit damage.
“A zero-trust security model with data backups will limit exposure if a cyberattack occurs. Additionally, strong authentication and encryption measures on the front end will help prevent a data breach,” Darren Guccione, CEO and co-founder at Keeper Security, told Dice. “IT professionals need to consider the security of their third-party vendors, as a vendor breach can have significant downstream effects, which the schools affected by this attack are experiencing firsthand.”
Beyond immediate remediation, organizations should also focus on strengthening access controls, enforcing phishing-resistant multi-factor authentication and ensuring all accounts use strong, unique passwords that are stored in an encrypted password manager.
“Implementing a zero-trust security model with privileged access management, where every login attempt is verified and administrative privileges are tightly controlled, can reduce the risk of future attacks and greatly diminish the impact if a successful attack occurs,” Guccione added.
