Fewer Ransomware Victims are Paying Up, which is Making Threat Actors Desperate

Ransomware remains one of the most pervasive cybersecurity threats, evolving in both scale and complexity. In 2024, the number of ransomware attacks surged, but a notable shift occurred—fewer victims opted to pay the ransom. With ransom payments down 35% and a staggering $813 million still lost to extortion, attackers are being forced to adapt their tactics.

As we move into 2025, these trends signal a new era of cyber threats, one where threat actors are becoming more aggressive, initial access brokers (IABs) play an increasing role, and data leaks become the primary weapon of choice. Organizations must adopt advanced threat intelligence, endpoint security solutions, and proactive cyber defense strategies to stay ahead.

The Rise in Ransomware Attacks

According to the Cybersecurity and Infrastructure Security Agency (CISA), the number of ransomware attacks has increased exponentially. One of the primary drivers behind this rise is the growing number of vulnerabilities—up 300% in 2024, with 768 documented cases. While many believe social engineering is the primary attack vector, the reality is that stealer logs and malware exploiting vulnerabilities are the most common entry points. The automation of these attacks has allowed ransomware groups to operate at an unprecedented scale.

A key enabler of this surge is the increasing presence of Initial Access Brokers (IABs). These cybercriminals act as penetration testers for ransomware gangs, identifying vulnerabilities, gaining access to networks, and then selling that access to the highest bidder. The IAB market has expanded so rapidly in 2024 that even cybersecurity researchers have struggled to track the number of active brokers. Their presence has fueled the growth of ransomware by making high-value targets more accessible to criminal organizations.

Looking to stay ahead of dark web threats? Get the latest in dark web news, OSINT tools, and more when you subscribe to the DarkBlue newsletter.

Decline in Ransom Payments

Despite the rise in attacks, fewer victims are willing to pay. Data from Chainalysis shows that total ransomware payments fell by 35% in 2024. This shift is largely due to increased awareness, better incident response strategies, and more organizations refusing to negotiate with cybercriminals. Many companies now prioritize recovery and mitigation overpaying a ransom, limiting the profitability of ransomware operations.

While this is a positive trend, it has also led to unintended consequences—cybercriminals are becoming more impatient and ruthless. Instead of waiting for payments, they are opting to leak stolen data immediately to pressure victims into compliance.

As fewer organizations pay ransoms, cybercriminals are shifting tactics. Instead of relying on extortion payments, many are now leveraging data leaks as a primary weapon. The logic is simple—if victims won’t pay, their sensitive data will be leaked publicly or sold on dark web forums.

This shift means that in 2025, the volume of leaked sensitive data will likely skyrocket. Organizations that once faced the dilemma of whether to pay or not may now be dealing with immediate exposure of proprietary or personal information. This underscores the need for businesses to prioritize prevention, incident response, and mitigation strategies.

Conclusion: Constant Vigilance Needed

Ransomware remains a formidable threat, but its landscape is changing. While attacks are rising, ransom payments are declining, forcing cybercriminals to evolve their tactics. The rise of Initial Access Brokers has made ransomware more accessible, and threat actors are increasingly impatient, opting for immediate data leaks instead of drawn-out negotiations. As we enter 2025, organizations must stay vigilant, strengthen cybersecurity defenses, and invest in proactive measures such as advanced endpoint security, threat intelligence platforms, and zero-trust architectures. For those looking to stay ahead of emerging threats, the DarkBlue Intelligence Suite offers industry-leading dark web threat intelligence, including proactive dark web monitoring, investigative and analytical tools, and secure live dark web access, helping businesses and security professionals navigate and mitigate the risks posed by ransomware and other cyber threats. Request a free trial to test out DarkBlue today.