Ransomware & Extortionware in 2025: Stats & Trends

In the underground cybercrime circles of the Dark Web, ransomware attacks are a particularly lucrative enterprise. These attacks are on the rise. And they’re disrupting the stalwart IT industry.

The average cost of a ransom attack in 2023 was $1.54 million, almost double the previous year’s average. And research we gathered for The CISO Report show that 83% of organizations hit by a ransomware attack paid their attackers. Curious which industry is most likely to pay the ransom? Retail.

Arguably more concerning is this trend: instead of simply locking users out of the data, more ransomware attacks aim to extort your data, holding it ransom until you pay up. In 2023, over 33 million data records were extorted via ransomware and phishing attacks — that’s a data extortion incident every 11 seconds.

So, with that grim background, let’s look at the state of ransomware today.

Brief overview of ransomware

Ransomware is the catch-all term for malicious software (malware) that prevents legit users from accessing a particular asset or dataset.

Typically, ransomware works like this: a threat actor breaks into a system, encrypts the target asset, and demands financial compensation in exchange for decryption keys.

The asset that’s being held ransom is where the power lies. That is, the more powerful or valuable an asset is, the more leverage the threat actor can have. For example, servers compromised by ransomware can cripple entire business operations.

Indeed, it’s this impact that causes businesses to adopt ransomware risk mitigation strategies as part of business continuity planning. These strategies include backups and redundancy: if a server is compromised in a ransomware attack, it is simply shut down and the application container may run on another machine.

(Understand the most common types of ransomware.)

Payload delivery & execution

A key step in ransomware execution is the payload delivery and execution. This is achieved by cleverly manipulating unsuspecting users, convincing them to:

• Click on malicious links.
• Download executable files that appear, but are not, legitimate.

Typically, payload execution is developed in such a manner that it installs and executes in the background, without getting noticed by the user or raising security alarms. Such a payload need not be sophisticated to be successful: ransomware can be simple, employing basic encryption algorithms — yet still inflicting severe damages and impact on the victims.

More than half of respondents in The CISO Report paid ransoms of $100,000 or more. Some organizations paid more than $1 million.

Ransomware trends, services & data exfiltration

Today, the Dark Web is home to both a cybercriminal gig economy and a connected ecosystem, where malicious actors offer their botnets and data exfiltration services. Instead of writing sophisticated ransomware attacks that involve complex encryption algorithms, cybercriminals may:

• Exploit Zero-Day vulnerabilities.
• Launch DDoS attacks.
• Intercept data in transit over a cloud network.
• Use social engineering techniques that trick users into revealing confidential login details.

Any variety of data exfiltration mechanism may be employed to access and leak sensitive information on compromised servers. In a typical ransomware attack, the data is not leaked to external servers — it’s encrypted only at the target server. Instead of paying ransomware to decrypt the compromised files Victims can minimize the damages in this scenario by restoring backups.

(How fast can ransomware encrypt data? Under a minute.)

Trend: Ransomware as a service

Over the last few years, a new trend is taking ransomware out of the domain of specialized threat actors. Ransomware as a Service (RaaS) treats ransomware attacks as a service that anyone can purchase.

Effectively, ransomware as a service enables any “customer”, to launch a social engineering attack on target victims, compounding what used to be an inherent limitation in ransomware.

(Meet the family: get to know the most common ransomware families.)

Trend: Extortionware

The case of extortionware is different.

Extortionware refers to any attack where a target data asset is exfiltrated and threatened to be released publicly, unless the ransom is paid.

Formerly, ransomware attacks would prevent you, the victim, from accessing your data. Extortionware goes further — now the threat is not that you cannot access your data, it’s that anyone could access your data. In a business context, the risk is that your sensitive trade secrets and intellectual property assets will be disclosed publicly.

Extortionware vs. ransomware

Examine the three defining attributes of extortion in a ransomware attack. A typical ransomware scenario has three defining characteristics:

• Malicious software infiltrates a target system. Recovery is challenging because the assets have been encrypted.
• Decryption without access to keys is virtually impossible, as only the malware author possesses them. (The only way to decrypt without the key is to have access to virtually unlimited computing resources.)
• Granting decryption keys for one victim of an attack does not enable others infected by the same virus to decrypt their systems. The decryption key is how the threat actor maintains power.

Now, consider extortionware: not only is your data compromised — it is also controlled by the attacker, who leaks it to an external server and threatens to disclose it publicly. This contrasts with traditional ransomware, where the attacker lacks the ability to modify, control, or release information publicly.

The other two characteristics remain consistent in an extortionware attack, with the added nuance that users cannot attempt to revert the data leakage to external servers.

Another crucial difference is that of risk exposure. The risk exposure of an extortionware attack is significantly higher than mere ransomware attacks. Depending on the sensitivity of the compromised data, your options for mitigation may be limited: Unlike in traditional ransomware attacks, where access is merely blocked, extortionware perpetrators threaten to publicly expose already compromised and leaked sensitive business information on third-party servers.

(Know the differences: risk appetite vs. risk tolerance.)

Defending against ransomware & extortionware

To invalidate such threats, ensure that preemptive security measures are in place:

• Encrypt all data in transit to public cloud services.
• Anonymize sensitive user data.
• Employ least access privileges for proprietary trade secrets.

Curious about more cybersecurity practices? Splunk offers the only unified security and observability data platform — powering security, DevOps, and data use cases across the enterprise. Learn more about what Splunk can help you do.