As the global cybersecurity community marks International Anti-Ransomware Day on May 12, new data from Kaspersky and other leading threat intelligence firms highlights the profound transformation of the ransomware landscape-chiefly driven by the rise of Ransomware-as-a-Service (RaaS) models.
While overall ransomware detections declined by 18% between 2023 and 2024, the proportion of users impacted by these attacks marginally increased, reflecting a pronounced shift from broad-spectrum infections to highly targeted campaigns against high-value organizations.
The RaaS paradigm has established itself as the principal engine for ransomware proliferation, drastically lowering the entry threshold for cybercriminals.
Platforms such as RansomHub and Akira now offer turnkey access to sophisticated malware, technical support, and affiliate schemes, with profits often split by up to 90% to incentivize partners.
This model has democratized cyber extortion, enabling even low-skilled threat actors to execute advanced attacks.
The modular architecture of RaaS platforms supports rapid customization for cross-platform deployment, most notably targeting Windows systems but increasingly extending to Linux and VMware environments as enterprises transition to hybrid and cloud infrastructures.
RaaS operators are also evolving their services, bundling in initial access brokerage and dedicated data exfiltration capabilities.
According to Kaspersky Report, this has led to the emergence of numerous new ransomware groups in 2024, even as legacy actors are disrupted by law enforcement.
For instance, despite major operational setbacks to groups like LockBit and ALPHV/BlackCat, other RaaS-backed collectives such as Play and RansomHub have quickly filled the void, underscoring the resilience and adaptability of the ransomware ecosystem.
Escalating Ransom Demands and Tactics
Notably, while total ransomware-related payments dropped significantly to $813.55 million in 2024 (down 35% year-on-year), the average ransom payment nearly tripled, surging to $3.96 million.
This trend is attributed to adversaries directing their efforts at larger organizations with deeper pockets, demanding higher ransoms and leveraging multi-layered extortion strategies.
Double and triple extortion-where data encryption is coupled with theft and threats of public disclosure-have become standard operating procedure for leading groups, maximizing both leverage and profits.
Groups such as FunkSec have advanced this approach by integrating AI into attack tool development, employing large language models to create evasive, highly adaptable code and streamline phishing campaigns.
In parallel, techniques like Bring Your Own Vulnerable Driver (BYOVD) have gained ground, with attackers installing legitimate but flawed kernel-level drivers to bypass detection and disable security defenses.
The growing library of exploitable drivers and the availability of open-source attack tools have greatly broadened the range of adversaries capable of executing such attacks.
Ransomware continues to disproportionately impact regions undergoing rapid digital transformation, such as the Middle East, Asia-Pacific, and select Latin American markets, where expanding attack surfaces and uneven cybersecurity maturity present fertile ground for cybercriminals.
While Africa remains a less prominent target due to lower digitization, rising adoption in countries like South Africa and Nigeria signals growing risk.
In Europe, robust regulatory frameworks and advanced incident response capabilities have mitigated the scale of attacks, yet high-profile incidents-like the RansomHub breach of Kawasaki’s European operations-highlight persistent vulnerabilities within critical sectors.
Looking ahead to 2025, experts predict a continued evolution of ransomware, with attackers increasingly exploiting unconventional entry points such as IoT devices and leveraging automation tools-including Robotic Process Automation (RPA) and LowCode platforms-to streamline both attack development and deployment.
As law enforcement actions force the dissolution or migration of some groups, their toolkits and methods are rapidly recycled by successor collectives, perpetuating a cycle of innovation.
The proliferation of AI-driven malware, coupled with the commodification of RaaS platforms, ensures that the ransomware threat will remain a preeminent concern for organizations worldwide.
In response, cybersecurity specialists urge businesses to adopt layered defenses, robust backup protocols, zero-trust architectures, and comprehensive employee training to counter the escalating sophistication of ransomware campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
