Surviving the Ransomware Gauntlet: A Test of Resilience

2025 has been a banner year for ransomware and we’ve still got five months to go. 🫠It has wreaked havoc on retailers throughout the United Kingdom, ravaged various healthcare institutions in Asia-Pacific, wrecked Latin America’s government, and “schooled” education systems in North America.

Ransomware remains a highly lucrative business model for crime groups, hacktivists, and skiddies alike — even if their motives differ greatly. (I mean, ransomware groups have extorted a total of US$724 million in cryptocurrency using strains linked to TrickBot alone. Yikes.)

Not to be a lag lady, but it’s kinda bleak out there. Ransomware groups are not only leaning into multiple extortion methods to ensure their payout, but they’re also getting very specific with their targeting, which increases their threat XP pretty significantly. Multiple groups can target a single organization simultaneously — and, if your company is global, the threat can be global, too.

To make matters worse, the groups are terribly clever with their evasion mechanisms, both technologically and in dodging law enforcement. Ever-changing group names and associations make it 🎶tricky to stop the crime🎶.

However, the real R word to focus on in 2025 and beyond is resilience. Creating a culture of resilience by being agile and by focusing on quick threat identification, remediation, and recovery is the way to keep yourself from being fleeced by these digital criminals.

The average number of days of downtime after getting popped by ransomware is old enough to pop champagne: 21. And 21 days is long enough to cause severe economic and reputational damage — and even threaten lives if the victim is a healthcare organization.

Seriously, you should read the whole report, but if all you have time for right now is a quick highlight reel, here’s some of what you can expect to find in the loot box that is this SOTI report.

Attackers are using AI and large language models (LLMs) to ramp up the scale, sophistication, and efficiency of attacks. Ransomware groups like FunkSec and advanced persistent threat groups like Forest Blizzard and Emerald Sleet use GenAI to automate a variety of tactics — from generating malicious code and crafting convincing phishing emails to conducting vishing attacks that impersonate company personnel to using chatbots to negotiate with victims.

Emerging tools like WormGPT, DarkGPT, and FraudGPT dramatically lower the barriers to entry, making it easier for amateurs to mount attacks.

Attackers have moved beyond single extortion; that is, simply demanding a ransom to decrypt the stolen data. Double, triple, and quadruple extortion tactics add pressure by threatening to expose customer information, disrupting operations with distributed denial-of-service (DDoS) attacks, and sending harassing messages to business partners, customers, and others — including informing media of the breach.

Ransomware attackers have also weaponized compliance. A recent trend involves threats to reveal that a company is in violation of security or breach disclosure regulations, which could expose the victim organization to fines that could far exceed the ransom demand.

Ransomware as a service (RaaS) has come a long way from the early REvil and Ryuk days. RaaS revolutionized ransomware operations from its inception by dramatically lowering the technical barrier to entry, which has allowed nonexperts to orchestrate the successful attacks we see today.

Some ransomware groups are blurring the line between hacktivism and profit motives. These hybrid groups are leveraging RaaS platforms not only to drive financial profit but also to advance ideological or political agendas.

Groups like Stormous, DragonForce, KillSec, CyberVolk, and Dragon RaaS have perpetrated disruptive attacks on private enterprises, government institutions, and critical infrastructure in countries around the world.

The SOTI report also includes special security spotlights that take a deeper dive into specific topics of interest, authored by our own Akamai security superheroes Or Zuckerman, Maor Dahan, and James Casey, including:

• Wizard Spider (aka TrickBot), a financially motivated cybercrime group that targets critical infrastructure, including healthcare systems, and has ties to Russian intelligence services

• Cryptomining malware, or cryptojackers, that covertly exploit the victim’s resources for profit by mining cryptocurrency; cryptominers are now a substantial piece of worldwide cybercrime

• Ransomware and the law; that is, efforts by legislatures and regulators to create legal frameworks to help meet the challenge of rapidly evolving ransomware strategies — including legal efforts to discourage ransom payments

The cyber insurance rates are increasing dramatically, along with the rate of audits of companies’ cybersecurity capabilities, so organizations need to develop strategies to build ransomware resilience. That means planning for the worst-case scenario by having clear policies and strategies for navigating and negotiating ransomware payments.

The criminal ransomware economy is dynamic, and the defense against this threat requires equal agility. To protect themselves, organizations must redefine cyber resilience and implement practical frameworks to achieve comprehensive protection. Understanding the state of the ransomware threat is a critical first step in that process.