Black Kite’s new research has revealed the evolving ransomware environment. Last year, a notable shift was seen from big ransomware groups doing many attacks to an increasing number of smaller groups conducting the attacks.
The report is according to information gathered by the Black Kite Research & Intelligence Team (BRITE) from April 2024 to March 2025, which includes victim analysis, obtaining dark web intelligence, and constant tracking of ransomware attacks. Of the 150 ransomware groups monitored by BRITE, 96 were regarded as active, having performed one or more attacks last year. Of the 96 active ransomware groups, 52 groups were new in the last 12 months. In this same period, the number of publicly announced ransomware victims (6,046) increased by 24%. In the preceding year, there was an 81% increase, therefore, the disclosed ransomware victims in the last two years increased by 123%.
When large ransomware groups like LockBit and ALPHV/BlackCat dominated the scene, the attacks were somewhat predictable. After law enforcement shut down ALPHV, many smaller groups were created, and the more seasoned actors worked on their own. With a lot of new groups, the malware ecosystem is now more chaotic, as less complex attacks are being done by more players. BRITE states that smaller groups often lack the facilities, discipline, and reliability, and this change has led to a bigger attack volume, a drop in organization, and increasing unpredictability in the attacks.
One pattern that has appeared is a change from attacks on bigger organizations to attacks on small and medium-sized companies, which generally have poorer cybersecurity and have a lower risk of retaliation from authorities. The actual returns from performing the attacks are lower, with BRITE revealing a 35% drop in ransom payment amounts in the last 12 months; nevertheless, the general effect of ransomware attacks has increased. In 2024, the average ransom demand was $4,24 million, but the average and median ransom payments were $553,959 and $2 million, respectively.
When it comes to targets, ransomware groups often carry out attacks on the top three targets without change year-over-year. The most targeted sector is the manufacturing industry, with 1,315 victims in the past year. Because of the considerable disruption to business operations, the probability of getting a ransom payment is higher. The second-most targeted sector was the professional and technical services, with 1,040 attacks. The third was HIPAA-regulated healthcare and social services, with 434 attacks.
With regards to the increase of attacks on various industries, not including the mass vulnerability exploitation by the Clop group, the highest was the wholesale trade with 2.27% more attacks. Second were the healthcare and social services with a 1.44% increase. Smaller healthcare providers, like doctors and health professionals, encountered 38% of attacks. Hospitals encountered 20% of attacks, social services 11%, and nursing and residential facilities 9% of attacks.
BRITE additionally reports greater entanglement in supply chains, as ransomware groups targeted more third-party providers. One attack on a vendor could very easily enable the ransomware actor to attack many downstream businesses. BRITE stated that ransomware was responsible for 67% of all third-party breaches, just like in the cyberattacks on Change Healthcare, CDK Global, and Blue Yonder. Therefore, ransomware is becoming more of a supply chain issue, not just a cybersecurity one.
Black Kite expects more fragmentation of the ransomware ecosystem in the upcoming year. Ransomware groups will double the targeting of victims with various ransomware variants used within a short time, faster attacks with lessened dwell time from initial access to ransomware deployment.
Image credit: Pixel Matrix, Adobestock
