Human capital & corporate risk
Nederlands Login

Ransomware in 2025: Professionalization of cybercrime demands action

The first quarter of 2025 shows a sharp increase in ransomware incidents worldwide. A ransomware incident is a type of cyber attack in which malicious software, known as ransomware, infects a computer or network and blocks access to data until a ransom is paid.

The number of disclosed attacks increased significantly, with a record high in March: up 45% from 2024. In addition, over 2,100 unreported attacks were estimated to have occurred – an increase of 113%. These figures show that the actual threat is considerably greater than public reports suggest.

Cybercriminals take a structured approach

Cybercriminals are working in an increasingly structured way and using sophisticated methods such as Ransomware-as-a-Service (RaaS). In addition to encrypting data, we are increasingly seeing sensitive information being stolen and published online to put pressure on victims. The average ransom amounted to USD 663,000, with an average of 1.58 TB of data captured per attack.

Organizations within the service, healthcare and government sectors are particularly frequently targeted, collectively accounting for 47% of reported attacks. The increase within the public sector, particularly at local agencies in the U.S., is concerning because of the social impact and risk of citizen data breaches.

Perpetrators are often located in countries such as China, Russia and Ukraine, which together account for a large proportion of global data breaches. These countries use illegal networks to channel away stolen data, making international cooperation to combat it more difficult.

In addition to well-known ransomeware groups (individuals, companies or groups behind the attacks) such as Clop and RansomHub, several new groups also became active in Q1 of 2025. This development shows that the ransomware landscape continues to evolve and expand. The return of old names – whether actually involved or not – illustrates the elusiveness of many of these actors.

What can you do?

It is abundantly clear: ransomware is not a temporary threat, but a structural risk that is becoming increasingly aggressive and sophisticated. Organizations – large and small – must act now. Not only by putting digital security in order, but also by actively investing in awareness, preparation and transparency.

Reporting incidents is not a weakness, but a crucial step in strengthening collective resilience. Only by being open about attacks can organizations learn from each other and collectively present a front against cybercriminals. A culture of cooperation and information sharing makes the difference between isolated damage and structural protection.

Ransomware has long since ceased to affect only large corporates or critical infrastructures. Small businesses, municipalities and educational institutions in particular are increasingly being targeted. This underscores the need for action at every level within the organization as well as society as a whole. So be very aware of this risk!

Want to know more or need advice?

Would you like to understand more about the risks, get tailored advice or obtain appropriate cyber insurance? Then contact our Cyber specialists.

Based on BlackFog’s report “The State of Ransomware 2025” (April 2025).


This article is posted by Kimberly Kooij. Senior Liability & Cyber Broker

CONNECT