Ransomware 2025: The threat evolves with AI and more sophisticated attacks

Throughout 2024, the ransomware landscape underwent significant changes that impacted organizations worldwide. Despite a reduction in ransom payments, the sophistication and persistence of ransomware attacks remain one of the top concerns for IT professionals.

Key 2024 Statistics

• Reduction in Ransom Payments

According to Chainalysis, global ransomware payments totaled $814 million in 2024—a 35% decrease compared to $1.25 billion in 2023. This decline is attributed to effective law enforcement actions and an increased reluctance among victims to pay ransoms.

• Increase in Attacks in Spain

Spain ranked as the eighth most affected country by ransomware attacks in 2024, with an 11% increase compared to the previous year. This surge is linked to Spain’s prominence en la economía global y la vulnerabilidad de las pequeñas y medianas empresas que carecen de recursos robustos de ciberseguridad.

• Rise in Latin America

Kaspersky reported that between June 2023 and July 2024, 1,185,242 ransomware attacks were blocked in Latin America—a 2.8% increase compared to the previous period. Brazil, Mexico, Ecuador, and Colombia were the most affected countries in the region.

Evolution of Attack Techniques in 2025

In 2025, threat actors have adopted advanced technologies to enhance the sophistication and persistence of ransomware attacks:

• Use of Artificial Intelligence (AI):

Cybercriminals are leveraging AI to automate vulnerability detection and to customize phishing attacks, thereby increasing the likelihood of success. This technology enables the creation of emails and messages that accurately mimic legitimate communications, deceiving even experienced users.

• Software Supply Chain Attacks:

There has been an intensification of attacks targeting open-source libraries and dependencies. Attackers compromise widely-used software components to distribute ransomware en masse and stealthily. This approach allows them to infiltrate multiple organizations through a single vulnerability.

• Self-Replicating Ransomware:

Variants such as Virlock have resurfaced, combining encryption capabilities with worm-like properties. This enables them to automatically propagate across internal networks and external devices, exponentially increasing their reach and potential damage.

Recommended Mitigation Measures

To counter these emerging threats, IT professionals are advised to implement the following strategies:

1. Adopt a Zero Trust Approach: This security model involves not automatically trusting any entity, whether inside or outside the network perimeter. It requires continuous verification of the identity and context of each access, minimizing the risk of lateral movement by attackers.
2. Monitor and Manage the Software Supply Chain: Implement rigorous processes for evaluating and monitoring software dependencies—especially open-source components—to detect and mitigate potential compromises before they impact the organization.
3. Integrate AI into Cyber Defense: Utilize AI-driven security solutions to analyze network traffic patterns and user behaviors in real time, enabling proactive detection of anomalous activities and immediate response to potential incidents.
4. Strengthen Organizational Resilience: Regularly develop and test incident response plans, perform frequent data backups, and educate employees on the latest social engineering tactics. This reduces the attack surface and enhances the organization’s ability to recover from ransomware incidents.

The evolution in the sophistication and persistence of ransomware attacks demands continuous vigilance and a proactive adaptation of cybersecurity strategies. By staying informed about emerging trends and adopting robust preventative measures, IT professionals can effectively safeguard their infrastructures and critical data against these ever-changing threats.

How Does Endurance Protect Against Ransomware?

Endurance prevents the spread of ransomware by providing completely isolated and controlled access. Its secure remote desktop and Connection Broker ensure that only audio, video, keyboard, and mouse events are transmitted, preventing malicious files from reaching critical assets. Furthermore, its encrypted Vault protects credentials and blocks unauthorized access, thereby reducing the attack surface and ensuring business continuity in the face of advanced threats.