Ransomware Reaches A Record High, But Payouts Are Dwindling

Shed a tear, if you can, for the poor, misunderstood cybercriminals hard at work trying to earn a dishonest crust by infecting organisations with ransomware.

Newly released research has revealed that the riches to be made from encrypting a company’s data and demanding a ransom are not proving so easy to come by as they once were.

Because, although the number of ransomware attacks are reported to have reached record-breaking heights in the first months of 2025, gangs’ profits are thought to be plummeting.

BlackFog’s “State of Ransomware” report, details over 100 publicly-disclosed attacks in March 2025 – an 81% increase from the year before – with an average ransom demand of US $663,582.

According to BlackFog, this is the highest number of attacks it has documented since it began collecting reports in 2020.

It’s a similar story from threat intelligence firm Cyble, which recently published a blog post showing a record-shattering high for ransomware attacks.

What’s driving this increased number of attacks? Well, one possibility is that ransomware groups have increased the number of their attacks in an attempt to make up for the lower ransoms they are receiving from victims. In short, if you’re getting less money per attack, increase the number of attacks and try to make up the shortfall that way. 

The reduction in income being made by the extortion gangs cannot be underlined enough, with reports that there has been a 35% year-over-year decrease in ransomware payments. Chainalysis reports that less than half of recorded incidents are resulting in payments by victims. 

The clear conclusion has to be that the victims of ransomware attacks are getting better at resisting paying anything to their cyber-extortionists, or successfully negotiating lower payments. 

And this isn’t the only headache for ransomware gangs. They also have to handle sometimes unruly affiliates – who will have no qualms about switching to working with another ransomware operation if they feel they can make more money or will be better treated. 

As a report from Reliaquest notes, affiliate loyalty to particular ransomware groups can be fickle or short-lived. 

Leaked chats from inside the once highly-active Black Basta ransomware group show that it was plagued by infighting before it went offline. 

Meanwhile some affiliates of the notorious RansomHub operation found a new home when the group reduced the amount of profits it shared with affiliates from 90% to 85%. 

With all of these problems, and with multinational law enforcement putting ever more effort and resources into disrupting the operations of the criminal gangs, it’s easy to imagine that no-one would want to earn a living through ransomware. 

But, despite the difficulties and the increasing challenges ransomware groups may experience in generating the income they experienced in years past, the threat remains significant. 

No business can afford to rest on its laurels, as ransomware remains a very real threat. 

Make sure that your business is following our recommendations on how to protect itself from ransomware attacks. Our tips include: 

• Making secure offsite backups.
• Running up-to-date security solutions and ensuring that your computers and network devices are properly configured and protected with the latest security patches against vulnerabilities.
• Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
• Encrypting sensitive data wherever possible.
• Reducing the attack surface by disabling functionality that your company does not need.
• Educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data – such as phishing attacks.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.