Despite increased awareness and quality of defenses, ransomware continues to be a significant threat. It seems that cybercriminals are always staying ahead by evolving their tactics.
In 2024, the ransomware statistics from the Sophos’ State of Ransomware report were alarming:
- 59% of organizations were hit by ransomware in the last year
- The average recovery cost, excluding ransom payments, was $2.73 million
- 34% of organizations took longer than a month to recover
- 32% of victims also experienced data theft when their data was encrypted
- The average initial ransom demand was $2 million
As we look ahead to 2025, it’s no surprise that AI will play a critical role in reshaping both the offensive and defensive sides of the ransomware equation.
The meaning of ransomware
Ransomware is a type of malware that gets downloaded onto an endpoint (usually a computer or server) and encrypts the files. It claims a decryption key will be provided if and when a ransom is paid.
The term “ransomware” is still relevant, as it captures the essence of these attacks—disruption and financial extortion. While attackers increasingly employ multi-pronged extortion tactics (such as data leaks), the term still effectively communicates the threat to organizations and the public.
For additional context, there are other cyber threats that try to extort money that aren’t ransomware. For example, threats of carrying out a DDoS attack if a ransom is not paid by a deadline.
This shared understanding is crucial for awareness and coordinated defense efforts.
Expert ransomware predictions with Jordan Rae Kelly
To get an expert perspective on the future of ransomware, we spoke with Jordan Rae Kelly, Senior Managing Director and Head of Cybersecurity for the Americas at FTI Consulting. Kelly is the former Director for Cyber Incident Response on the National Security Council and former Chief of Staff in the FBI’s Cyber Division.
Here is our Q&A with Kelly:
Do you think the term ransomware is still meaningful given the shift toward multi-pronged extortion?
I believe it is still meaningful and relevant given that it is widely understood by the public, which makes discussion about it clearer and more accessible. Regardless of specifics on how extortion tactics are shifting, people are largely familiar with the term ransomware and what it means for impacted organizations and individuals. Also, the term still accurately describes the method of attack.
How much more (and how, if at all) will ransomware change over the year?
Ransomware continues to grow in sophistication, and I expect that to continue – as cyber criminals can use inexpensive, readily available tools to make their campaigns more effective, and we will continue to have to play catchup to combat their tactics.
This also means that less sophisticated cyber criminals can get involved in this space, which could create a few new trends. In certain cases, decryption has become more available as a solution, due to unsophisticated cyber criminals copying existing ransomware strains, from which a decryption key has been established. In other words, we may see more ransomware attacks, but they could be simpler to combat. However, copycat cyber criminals getting involved could make tracking and attribution more challenging. This is because tactics, techniques, and procedures (TTPs) that are often used as identifiers become inconsistent when assessing cyber criminals without an established presence.
Criminals seem to be getting more disruptive. Should we worry about an increase in the use of wipers for extortion by criminals? And will ransomware as a service (RaaS) continue to proliferate?
I expect financial gain to continue to be a primary driver of behavior by cyber criminals. Wipers don’t allow for the same leverage over the victims, and thus I don’t see these becoming a primary behavior. The more leverage, the higher likelihood that cyber criminals will get what they want.
The proliferation of RaaS is not something I expect will slow. It allows unsophisticated cyber criminals and those without the means to launch ransomware attacks with little knowledge or experience in this space, and at a much lower cost or necessary nation-state backing. The potential large monetary payout compared to a minimal investment is also a strong selling point for RaaS operators.
Can we expect more or fewer law enforcement agencies (LEA) actions targeting criminal gangs?
It will be interesting to see what threats are prioritized during a government transition year within the U.S., but there is no sign of this slowing. The successful takedowns of cybercriminal groups this year that came as the result of collaborative efforts of agencies across the globe highlight the significant outcomes that can be achieved through intelligence sharing. These successes will hopefully encourage continued LEA action, which serves as a genuine deterrent.
Will we see more malware generated by AI? On the other side, will we see better detection of malware by AI?
Absolutely. Cyber criminals are agile and adept at determining how new technologies can be used to their benefit, and AI is a prime example. Despite ethical steps designed to prevent AI tools from being used maliciously, with the right prompts, cyber criminals can use AI to generate and improve existing malware.
However, malware detection can be improved using AI, especially when leveraged to analyze vast datasets to determine what is legitimate behavior and what is malware. AI has the ability to detect malware in real-time, helping contain the threat more quickly and mitigate potential damages.
What this means for AI in 2025
As AI tools become more advanced, they will empower both attackers and defenders. While attackers may exploit AI to refine malware and diversify their extortion tactics, defenders can leverage AI to detect, mitigate, and prevent ransomware attacks with unprecedented speed and precision.
But technology alone is not enough to counter these threats.
Organizations must adopt robust data security governance practices as a foundational layer of their defenses. This includes clearly defined policies, regular risk assessments, and comprehensive visibility into sensitive data to ensure that AI-powered tools are working with accurate and actionable insights.
With effective governance, organizations can manage access permissions, detect unusual behavior, and respond to potential threats in real-time.
The outcome of the AI-driven arms race will hinge on collaboration, innovation, and the proactive adoption of advanced security technologies combined with strong governance frameworks. By prioritizing data security governance, organizations can reduce their attack surface, improve incident response, and stay ahead of adversaries.
The fight against ransomware will not end in 2025, but a balanced approach that combines AI innovation with sound governance offers hope for tipping the scales in favor of defenders.