Ransomware Attacks Hit All-Time High as Payoffs Dwindle

A recent surge in ransomware claims might signal that the profitability of the cybercriminal trade is beginning to falter and payouts are dwindling.

Several cyber threat reports recently showed that ransomware attack claims reached record-breaking levels at the beginning of 2025. However, victims appear to be resisting demands in many cases.

BlackFrog’s State of Ransomware QI, 2025 report, published on April 9, revealed that March 2025 set a new high, with over 100 attacks publicly disclosed, an increase of 81% compared to March 2024 and the most significant number of disclosed attacks since the security firm began tracking in 2020.

This record-breaking month contributed to the first quarter of 2025 also being a record-breaker, with 278 disclosed ransomware attacks.

Data exfiltration played a major part in this surge, with 95% of all publicly disclosed attacks involving some form of data leak.

BlackFrog also estimated that about 2124 unreported ransomware attacks occurred during that period, a 113% rise compared with the same period last year.

According to Cyble’s latest ransomware report, launched on April 4, February 2025 was the most impactful month for ransomware, with 886 new victims claimed by cybercriminal groups. January saw 590 new victims and March, 564.

Despite the different findings, the cyber threat intelligence firm also concluded that the first quarter of 2025 broke the record as the most active period ever for ransomware groups.

BlackFrog and Cyble found that the healthcare sector was among the most affected industries, alongside government agencies, schools and service providers.

Both firms’ telemetry also indicated that the US remained the top-targeted country.

More Ransomware Attacks, Fewer Ransomware Demands Paid

Intuitively, one may think that more ransomware attacks mean more financial damages for victim organizations.

However, the intensity of ransomware activity may be a sign of the attackers’ desperation, as their profits plummeted by 33% to $818 million in 2024 from a record $1.25 billion in 2023, according to a February 5 Chainalysis report, with victims increasingly resisting or negotiating lower ransom payments.

“The persistently high attack levels […] suggest the possibility of a new, higher ransomware attack range going forward, as groups may be trying to make up for lower ransom payments with a higher volume of victims,” the Cyble report noted.

BlackFrog found that the average ransom demand is now $663,582. While the firm did not provide any comparison with previously recorded average ransom demands, Comparitech, another cybersecurity company, reported in July 2024 an average extortion demand per ransomware attack at over $5.2m in the first half of 2024.

Ransomware Landscape Shakeup

The first quarter of 2025 is also marked by a reorganization of ransomware groups, with some top-tier syndicates losing some grip.

BlackBasta, a cybercriminal group that was among the 10 most active in 2024, saw its activity almost stop in February 2025 after its internal chat was leaked.

Read now: BlackBasta Ransomware Ties to Russian Authorities Uncovered

While two other recent ransomware reports by ReliaQuest and Rapid7, published on April 9 and April 8, respectively, still showed Cl0p as the top ransomware group in the first quarter of 2025, Cyble believes the group left the top five in March.

“Claimed attacks by February’s leader, the Cl0p ransomware group, fell off dramatically, from 267 attacks recorded in February to just six in March,” Cyble wrote.

RansomHub, the second most active group until February, reportedly came first in March, with 88 claimed attacks that month, according to Cyble’s data.

New players have emerged, with Cyble identifying Arkana Security, Secp0, and Skira Team as recent additions, joining other groups like Weyhro and Frag that surfaced towards the end of the previous year.

Rapid7 also detected Ailock, Belsen Group, CrazyHunter, Cs-137, D0Glun, GD LockerSec, Linkc, NightSpire, Ox Thief, Run Some Wares, Sonshi, and VanHelsing as ransomware newcomers.

Additionally, the Rapid7 researchers said that the emergence of groups like FunkSec and the so-called ‘Babuk 2.0,’ merely rehashing previously disclosed breaches, suggests that the attention garnered by some ransomware groups may not necessarily translate to significant financial losses or impact.