Human capital & corporate risk
The first quarter of 2025 shows a sharp increase in ransomware incidents worldwide. A ransomware incident is a type of cyber attack where malicious software known as ransomware infects a computer or network and blocks access to data until a ransom is paid.
The number of publicly disclosed attacks rose significantly, reaching a record high in March: an increase of 45% compared to 2024. In addition, it is estimated that over 2,100 unreported attacks occurred — an increase of 113%. These figures show that the actual threat is significantly greater than the public reports suggest.
Cybercriminals are increasingly structured and use advanced methods such as Ransomware-as-a-Service (RaaS). In addition to encrypting data, we are increasingly seeing sensitive information stolen and published online to exert pressure on victims. The average ransom was USD 663,000, with an average of 1.58 TB of data captured per attack.
In particular, organizations in the service sector, health care and government are often targeted, accounting for 47% of the reported attacks. The increase in the government sector, particularly among local authorities in the US, is worrying because of the social impact and the risk of citizen data breaches.
Perpetrators are often located in countries such as China, Russia and Ukraine, which together are responsible for a large part of the global data breaches. These countries use illegal networks to hide stolen data, making international cooperation to combat it more difficult.
In addition to well-known ransomware groups (individuals, companies or groups behind the attacks) such as Clop and RansomHub, several new groups also became active in Q1 of 2025. This development shows that the ransomware landscape continues to evolve and expand. The return of old names — whether or not actually involved — illustrates the intangibility of many of these actors.
It's obvious: ransomware is not a temporary threat, but a structural risk that is becoming increasingly aggressive and sophisticated. Organizations — big and small — need to act now. Not only by putting digital security in order, but also by actively investing in awareness, preparation and transparency.
Reporting incidents is not a weakness, but a crucial step in strengthening collective resilience. Only by being open about attacks can organizations learn from each other and jointly form a front against cybercriminals. A culture of cooperation and information sharing makes the difference between isolated damage and structural protection.
Ransomware no longer only affects large corporations or critical infrastructures. Small companies, municipalities and educational institutions in particular are increasingly being targeted. This underlines the need for action at every level within the organization and society as a whole. So be very aware of this risk!
Would you like more insight into the risks, tailored advice or take out appropriate cyber insurance? Then contact our Cyber specialists.
Based on Blackfog's “The State of Ransomware 2025” report (April 2025).
