Verizon’s recently published Data Breach Investigations Report (DBIR) for 2025 reveals a worrying trend in the world of cybersecurity: the majority of ransomware attacks are now targeting small and medium-sized businesses (SMBs). According to the report, extortion malware was detected in a staggering 88% of breach incidents involving SMBs, contrasting sharply with the 39% recorded for larger organizations. This significant disparity underscores the increasing vulnerability of smaller enterprises in the face of sophisticated cyber threats.
The 2025 edition of the DBIR, made public on April 23, identified that ransomware played a role in 44% of all recorded attacks during the period from November 1, 2023, to October 31, 2024. This translates into approximately 12,195 data breaches, marking a substantial 37% increase in ransomware-related incidents compared to the previous year’s report, where ransomware was implicated in only 32% of such breaches. This sharp rise reflects the escalating challenges that organizations, especially SMBs, face in safeguarding their digital assets.
The report further clarifies the different forms of ransomware contributing to these alarming statistics. The high figures encompass both traditional encrypting ransomware and "pure extortion, non-encrypting" variants, which the report classified under extortion for the 2024 findings. This distinction is vital in understanding the diverse strategies employed by cybercriminals.
During a report launch event in London, Alistair Neil, Managing Director for Advanced Solutions International at Verizon Business, discussed the geographical implications of ransomware growth. He emphasized that ransomware is no longer confined to the United States and Europe, as more organizations in the Asia-Pacific region are falling victim to these attacks. This trend highlights a concerning global meander in cybercrime, with perpetrators extending their reach to capitalize on vulnerabilities across diverse regions.
Interestingly, despite the uptick in ransomware attacks, the median ransom payments have seen a decline. Currently, the average ransom payment stands at $115,000, down from $150,000 the previous year. Nearly two-thirds of victims—64%—are now choosing to refuse payment, signifying a notable increase in resolve compared to just 50% two years prior. This shift could indicate a growing awareness among businesses about the potential consequences of complying with ransom demands.
Supporting this observation, recent findings from BlackFog suggest that ransomware groups are pivoting toward increasing the volume of attacks to compensate for diminished ransom payouts. The overall landscape reveals a strategic adjustment by cybercriminals as they grapple with the effects of heightened resistance from their targets.
Furthermore, the report unveils a more complex interplay of factors driving ransomware attacks. Notably, state-sponsored actors and advanced persistent threats (APTs) are increasingly utilizing ransomware tactics as part of their operations. Verizon’s analysis indicates that espionage-motivated campaigns accounted for 17% of all confirmed breaches during the reported period. This is particularly alarming in the Asia-Pacific region, where espionage constituted 20% of analyzed breaches, compared to only 8% in Europe, the Middle East, and Africa (EMEA), and a mere 4% in North America.
The report also suggests that these state-sponsored actors may be driven by more than just espionage motives. Approximately 28% of incidents involving such actors exhibited a financial incentive, revealing a dual agenda that combines traditional state interests with lucrative cybercriminal activities. Alistair Neil highlighted that threat actors are becoming more sophisticated, often engaging in system intrusions with multiple goals in mind. He noted that these actors frequently gather substantial amounts of data before deciding whether to leverage it for intellectual property or personally identifiable information theft, or even for extortion purposes.
Moreover, cyber-attack patterns differ across various industry sectors. The Verizon DBIR indicates that the administration and wholesale trade sectors are primary targets for cybercriminals seeking financial gain. Transportation, agriculture, and entertainment sectors are also significantly affected, with financial motives driving 99%, 98%, and 97% of breaches, respectively. Conversely, industries such as mining, utilities, and information are more frequently targeted for espionage, with 55% and 36% of breaches in these areas being attributed to cyber espionage.
In conclusion, as the landscape of ransomware attacks evolves, so too do the strategies employed by cybercriminals. The pressing need for enhanced cybersecurity protocols, particularly for small and medium businesses, is underscored by these findings. The data illustrates that a proactive approach is essential for organizations to defend against the ever-changing and increasingly sophisticated threats posed by both independent cybercriminals and state-sponsored actors alike.