Ransomware escalates in scale and sophistication through 2025

Ransomware activity intensified throughout 2025, as cybercriminal groups refined both their business models and technical capabilities. The year was defined by the continued rise of ransomware-as-a-service, which lowered the barrier to entry for less experienced attackers while consolidating profits among core operators. These platforms offered affiliates access to ready-made malware, compromised network entry points, and structured payment schemes, typically favouring operators with highly skewed revenue splits.

According to analysis by Fabio Assolini, Head of Research Center for the Americas and Europe within the Global Research and Analysis Team from Kaspersky, this industrialisation of ransomware has reshaped the threat landscape. The shift towards service-based operations has enabled criminal groups to scale faster, replace disrupted infrastructure quickly, and absorb law enforcement takedowns with limited long-term impact on overall activity.

The economic consequences have been significant. Estimates indicate that potential ransomware-related losses in the manufacturing sector alone could have exceeded US$18 billion during the first three quarters of 2025 if attacks had succeeded. Asia-Pacific accounted for a substantial share of this exposure, contributing an estimated US$11.5 billion in potential losses. Rapid digitisation across emerging economies has expanded attack surfaces, leaving organisations increasingly exposed to operational disruption and financial damage.

Despite several high-profile disruptions of ransomware platforms during the year, the overall ecosystem remained resilient. When established services were dismantled, new or previously lesser-known groups moved quickly to fill the gaps. Groups such as Qilin, Akira, Cl0p and Sinobi gained prominence, illustrating how ransomware operations have become modular and replaceable rather than dependent on any single platform.

New attack vectors and uneven regional exposure

Attack techniques evolved alongside business models. One of the most concerning trends in 2025 was the growing use of signed but vulnerable drivers to bypass security controls. By exploiting the Bring-Your-Own-Vulnerable-Driver technique, attackers were able to gain elevated system privileges while avoiding detection by many traditional endpoint defences. This approach allowed ransomware payloads to execute with greater persistence and effectiveness.

Attackers also increasingly targeted unconventional entry points. Internet-connected devices such as smart appliances, webcams, and other Internet of Things endpoints were used as gateways into corporate networks. Campaigns attributed to the Akira group demonstrated how these less monitored assets could provide stealthy, long-term access to internal environments.

Artificial intelligence further accelerated the pace and scale of ransomware operations. Groups such as FunkSec, which emerged in late 2024, used AI-generated code to support low-cost, high-volume campaigns targeting government, finance, and education sectors. These attacks prioritised speed and reach over bespoke intrusion techniques, with AI tools enabling faster reconnaissance, automated malware development, and more convincing phishing attempts.

Regional exposure varied considerably. Hacktivist-aligned groups, including Head Mare and Twelve, weaponised ransomware to disrupt manufacturing and industrial targets. In Africa, overall ransomware prevalence remained lower due to more limited digitisation, but hotspots such as South Africa and Nigeria experienced a rise in incidents affecting financial institutions. Europe benefited from stronger regulatory frameworks, yet supply chain disruptions showed that even well-regulated regions remain vulnerable to indirect attacks.

AI-driven ransomware threats loom in 2026

Looking ahead to 2026, the report warns that ransomware is likely to enter a more aggressive and automated phase. Advances in artificial intelligence are expected to play a central role, particularly the emergence of agentic AI systems capable of autonomous reasoning and real-time adaptation. These systems could automate entire attack chains, from reconnaissance and lateral movement to data exfiltration and extortion, at speeds far beyond human-led operations.

Ransomware-as-a-service platforms are also expected to evolve further through deeper AI integration. Even inexperienced attackers may gain access to tools capable of deploying polymorphic malware that mutates dynamically to evade detection. Extortion tactics could expand to include deepfake audio or video used to pressure executives, increasing both the psychological impact and credibility of threats.

Beyond encryption and data leaks, extortion strategies are expected to become more subtle and damaging. Data tampering and reputational sabotage could undermine trust in affected organisations long after systems are restored. As attackers increasingly target third-party vendors and service providers, a single breach could cascade across multiple organisations, amplifying both financial and reputational fallout.

The analysis underscores the need for organisations to act proactively. Recommended measures include investment in threat intelligence, the use of immutable and air-gapped backups, stronger multi-factor authentication, and comprehensive supply chain audits. Targeted employee training is also essential to counter AI-enhanced phishing and social engineering. As ransomware threats become more autonomous and scalable, resilience and adaptability will be critical for organisations seeking to avoid becoming the next high-profile casualty.