The State of Ransomware 2025

The Evolving Ransomware Ecosystem

The ransomware ecosystem entering 2025 bears little structural resemblance to the landscape of even two years prior. What was once dominated by a handful of Ransomware-as-a-Service (RaaS) oligarchs—LockBit, ALPHV/BlackCat, and Cl0p commanding outsized market share—has fragmented into a more distributed and resilient ecosystem. This fragmentation is not a sign of decline. It is an adaptive response to coordinated law enforcement pressure, and it makes the threat harder to track, attribute, and disrupt.

Dark Angel's analysis of leak site activity across 2024 identified 5,462 unique victim organizations posted to ransomware data leak sites (DLS), representing a 15.3% increase over the 4,736 victims documented in 2023. This growth occurred despite the takedown of the two largest operations, underscoring the resilience of the broader RaaS affiliate model. When a major operation is disrupted, its affiliates—the operators who actually conduct intrusions—migrate to competing platforms within days, carrying their access, tooling, and operational tradecraft with them.

Three structural shifts define the current ecosystem. First, the affiliate diaspora: experienced intrusion operators displaced from LockBit and ALPHV have seeded new operations, bringing institutional knowledge of victim negotiation, infrastructure management, and evasion techniques. Second, data extortion without encryption has matured as a standalone model. Groups like Karakurt (before its own disruption) and several BianLian campaigns have abandoned encryption entirely, relying solely on the threat of data publication. This approach reduces operational complexity, avoids triggering EDR detections tied to file-system encryption behavior, and sidesteps the availability of decryptors. Third, supply chain ransomware—attacks that compromise a single managed service provider (MSP), software vendor, or cloud platform to reach hundreds of downstream victims simultaneously—has accelerated. The Cl0p MOVEit campaign of mid-2023 established the template, and multiple groups have attempted to replicate this mass-exploitation model throughout 2024.

The financial incentives driving this ecosystem remain overwhelming. Cryptocurrency tracing firms estimate that ransomware actors received at least $1.1 billion in payments during 2024, though actual figures are likely 30–40% higher due to unreported payments and privacy coin usage. For context, this represents a modest decline from 2023's estimated $1.3 billion peak—a decline attributable more to improved victim resilience and backup strategies than to any reduction in attack volume.

Major Ransomware Groups: Operational Analysis

LockBit 3.0: Post-Operation Cronos

Operation Cronos, the multinational law enforcement action executed in February 2024, represented the most significant disruption of a ransomware operation to date. Coordinated across 11 countries, the operation seized 34 servers, froze over 200 cryptocurrency wallets, and—critically—obtained the backend database containing affiliate information, victim negotiation records, and decryption keys. Two individuals were arrested, and the operation's administrator, identified as Russian national Dmitry Khoroshev (operating under the alias "LockBitSupp"), was publicly named and sanctioned.

Despite the severity of this disruption, LockBit demonstrated the resilience characteristic of mature cybercriminal operations. Within days of the takedown, LockBitSupp posted a lengthy statement on a newly established .onion site, claiming that law enforcement had exaggerated the impact and that backup infrastructure remained intact. A new leak site was launched, and the group resumed posting purported victims within a week.

However, Dark Angel's analysis of post-Cronos LockBit activity reveals substantial operational degradation. Leak site postings in the six months following the operation declined by approximately 73% compared to the equivalent pre-disruption period. More significantly, many posted "victims" appear to be recycled from pre-Cronos data or fabricated entries designed to project operational continuity. Our assessment is that LockBit retains a small number of loyal affiliates but has lost its dominant market position. Claims of a forthcoming "LockBit 4.0" locker with enhanced capabilities remain unsubstantiated as of January 2025, and we assess these claims as primarily recruitment and reputation management efforts rather than indicators of genuine technical advancement.

BlackBasta: Corporate Targeting and Social Engineering

BlackBasta has emerged as one of the most consequential ransomware operations of the past 18 months, with Dark Angel tracking over 460 confirmed victims since the group's emergence in April 2022. The group's operational profile is distinctive: it demonstrates a strong preference for large enterprise targets, particularly in the manufacturing, construction, and professional services sectors across North America and Western Europe.

Throughout 2024, BlackBasta significantly evolved its initial access methodology. The group shifted from reliance on Qakbot (which was disrupted by law enforcement in August 2023) to a sophisticated social engineering pipeline. Operators impersonate IT helpdesk personnel, contacting employees directly via Microsoft Teams or phone to convince them to install remote management tools, most commonly AnyDesk or Quick Assist. Once remote access is established, the operator deploys Cobalt Strike or Brute Ratel for lateral movement, followed by data exfiltration via Rclone and encryption using the BlackBasta locker.

ALPHV/BlackCat: Exit Scam and Affiliate Migration

The ALPHV/BlackCat operation, which had been the second-most prolific RaaS platform through 2023, effectively ended in March 2024 through an exit scam. Following the group's high-profile attack on Change Healthcare—which disrupted pharmaceutical claims processing across the United States and resulted in an estimated $22 million ransom payment—the operation's administrators seized the full payment and shut down the affiliate portal. A fabricated "law enforcement seizure" notice was briefly posted to the group's leak site, but this was quickly identified as a deception by the cybersecurity community.

The collapse of ALPHV triggered a significant affiliate migration event. Dark Angel's tracking indicates that former ALPHV affiliates dispersed across multiple operations, with the largest contingents moving to RansomHub (which launched in February 2024 with an aggressive 90/10 affiliate-favorable revenue split), Qilin, and Cicada3301. The latter is of particular interest: Cicada3301 emerged in mid-2024 with a Rust-based locker bearing significant code-level similarities to the ALPHV payload, suggesting that at least some development talent from the ALPHV project transitioned directly.

Other Notable Operations

Play (PlayCrypt) maintained consistent operational tempo throughout 2024, with Dark Angel tracking approximately 350 confirmed victims. The group continues to favor exploitation of Fortinet and Citrix vulnerabilities for initial access and has expanded targeting from its traditional North American focus into Western European markets, particularly Germany and the Benelux region.

Cl0p (TA505) largely pivoted away from traditional encryption operations during 2024, instead focusing on mass-exploitation campaigns targeting file transfer appliances. Following the MOVEit campaign, the group exploited vulnerabilities in Cleo Harmony and VLTrader (CVE-2024-50623, CVE-2024-55956) in late 2024, compromising dozens of organizations through a single attack vector. This model—exploiting zero-day or n-day vulnerabilities in widely deployed enterprise software—allows Cl0p to amass hundreds of victims in a single campaign without maintaining a persistent affiliate infrastructure.

Royal/BlackSuit represents the evolution of the former Royal ransomware operation, which itself emerged from Conti's dissolution. BlackSuit has maintained a moderate operational tempo focused on mid-to-large enterprises in North America, with notable incidents affecting municipal governments and educational institutions. The group's locker is a continuation of the Royal codebase with incremental improvements to encryption speed and ESXi compatibility.

Medusa escalated operations significantly in 2024, with leak site postings increasing by approximately 65% year-over-year. The group has demonstrated particular interest in healthcare and educational targets and maintains a distinctive leak site that includes countdown timers and options for victims to pay to extend publication deadlines or delete individual files. Dark Angel has tracked an increase in Medusa activity targeting European entities in Q3–Q4 2024.

Akira continued to expand throughout 2024, with particular emphasis on exploiting Cisco ASA/FTD VPN vulnerabilities (CVE-2023-20269) and VMware ESXi environments. The group's Linux variant, first observed in mid-2023, has been deployed with increasing frequency against virtualization infrastructure, consistent with the broader ecosystem trend toward targeting hypervisors to maximize operational impact through a single encryption event.

Victim Analysis and Statistics

Dark Angel's comprehensive tracking of ransomware data leak sites across 2024 provides a detailed view of victimology patterns. The following table summarizes key operational metrics for the most active groups based on confirmed DLS postings and corroborated incident data.

Sector Distribution

Manufacturing remained the most heavily targeted sector in 2024, accounting for approximately 18% of all documented ransomware incidents. This persistent targeting reflects the sector's combination of operational technology dependencies (which amplify the impact of downtime), historically lower cybersecurity maturity relative to regulated industries, and the presence of valuable intellectual property. Professional and business services organizations—including law firms, accounting practices, and consulting firms—constituted the second-most targeted sector at 14%, valued by ransomware actors for the downstream access they provide to client networks and the sensitivity of client data they hold.

Healthcare targeting accelerated significantly in 2024, rising from approximately 8% of incidents in 2023 to 12% in 2024. The Change Healthcare attack catalyzed heightened attention to the sector, and the willingness of healthcare organizations to pay (driven by patient safety imperatives and regulatory exposure) has made them increasingly attractive targets. The education sector similarly experienced growth, with universities and school districts accounting for 9% of observed incidents, driven by typically constrained security budgets and expansive, heterogeneous IT environments.

European Focus

European organizations experienced a disproportionate increase in targeting during 2024. Dark Angel's data shows that EU-based entities accounted for approximately 31% of all documented victims, up from 24% in 2023. Germany, the United Kingdom, France, Italy, and the Netherlands were the most heavily impacted nations. Several factors contributed to this shift: the proliferation of access broker listings for European organizations on Russian-language forums, geopolitically motivated targeting in the context of the Russia-Ukraine conflict (particularly affecting entities in Baltic states and Poland), and exploitation of NIS2 implementation inconsistencies across member states.

Attack Vector Evolution

Initial Access Trends

The methods by which ransomware operators gain initial access to victim networks underwent significant evolution in 2024. Dark Angel's incident analysis across 380 engagements reveals three dominant initial access vectors, with notable shifts in their relative prevalence.

Exploitation of public-facing applications remained the single most common initial access vector, accounting for 38% of observed incidents. Critical vulnerabilities in VPN appliances and edge devices dominated this category: Ivanti Connect Secure (CVE-2024-21887, CVE-2023-46805), Citrix NetScaler (CVE-2023-4966 "Citrix Bleed"), Fortinet FortiOS (CVE-2024-21762), and Palo Alto PAN-OS (CVE-2024-3400) were the most frequently exploited. The pattern is consistent: ransomware operators maintain watch lists of newly disclosed vulnerabilities affecting perimeter devices and begin exploitation within 24–72 hours of proof-of-concept availability. Organizations that cannot patch within this window are at acute risk.

Compromised credentials and access brokers constituted the second-largest vector at 30% of incidents. The initial access broker (IAB) market on Russian-language forums grew substantially throughout 2024, with average listing prices for corporate VPN and RDP access declining from approximately $3,000 to $1,800—a price reduction that reflects both increased supply (driven by infostealer malware campaigns) and commoditization of the market. Access to European organizations specifically saw a 40% increase in forum listings. Dark Angel notes that the majority of IAB-sourced access originates from credentials harvested by infostealer malware (Raccoon, Lumma, RedLine, Vidar), which are then aggregated and sold through automated marketplaces and Telegram channels.

Phishing and social engineering accounted for 24% of initial access events but showed the most significant qualitative evolution. Traditional malicious document campaigns have been largely supplanted by callback phishing (vishing), Teams-based social engineering (as seen in BlackBasta operations), and the deployment of legitimate remote access tools through social pretexting. QR code phishing ("quishing") targeting corporate email users emerged as a notable trend in H2 2024, bypassing traditional email security controls by embedding malicious URLs in image-based content.

Dwell Time Analysis

Median dwell time—the interval between initial access and ransomware deployment—continued its multi-year decline, reaching approximately 5 days in 2024, down from 7 days in 2023 and 9 days in 2022. However, this aggregate figure obscures significant variance by group. Automated operations such as Cl0p's mass-exploitation campaigns may move from initial access to data exfiltration in under 24 hours. In contrast, BlackBasta and Play operations typically maintain access for 8–14 days, conducting methodical network reconnaissance, Active Directory enumeration, and selective data exfiltration before deploying the locker.

This compression of dwell times has critical implications for defenders. Organizations relying on traditional SOC workflows—with 24–48-hour investigation and triage cycles—may find that ransomware deployment occurs before an initial access alert has been fully investigated. The data strongly supports investment in automated response capabilities that can contain compromised hosts within minutes rather than hours.

Data Exfiltration Before Encryption

Double extortion—exfiltrating data before deploying encryption—is now the operational standard. Dark Angel's analysis indicates that 92% of ransomware incidents in 2024 involved confirmed or probable data exfiltration, up from 85% in 2023. The tools and techniques used for exfiltration have also evolved. Rclone remains the most commonly observed exfiltration tool, typically configured to upload to Mega.nz or attacker-controlled cloud storage. However, we have observed increased use of WinSCP, FileZilla, and custom exfiltration utilities designed to blend with legitimate file transfer activity.

A notable trend is the growth of exfiltration-only operations. Approximately 8% of incidents tracked by Dark Angel in 2024 involved data theft without any encryption component. This approach has tactical advantages for the attacker: it avoids triggering encryption-focused EDR detections, reduces operational complexity, and avoids the reputational risk associated with disrupting critical services (which can attract law enforcement attention). For victims, however, the impact can be equally severe, as the threat of data publication carries regulatory, reputational, and legal consequences regardless of whether systems were encrypted.

MITRE ATT&CK Mapping

The following MITRE ATT&CK techniques represent the most consistently observed TTPs across ransomware operations tracked by Dark Angel in 2024. This mapping is based on incident response data, malware analysis, and infrastructure intelligence across all major groups covered in this report.

T1486 — Data Encrypted for Impact remains the defining technique, though its implementation varies significantly by group. LockBit 3.0 employs intermittent encryption (encrypting fixed-size blocks at intervals rather than entire files) for speed, allowing encryption of a full enterprise network in under an hour. BlackBasta uses ChaCha20 combined with RSA-4096 for key encryption. Akira's Linux variant specifically targets VMDK and VMEM files on ESXi datastores, maximizing impact by encrypting the virtualization layer rather than individual guest OS file systems. Detection opportunities exist in monitoring for volume shadow copy deletion (vssadmin delete shadows), rapid file extension changes, and anomalous file I/O patterns.

T1560 — Archive Collected Data is observed in virtually all double extortion operations. Ransomware operators use 7-Zip, WinRAR, and custom archive utilities to stage data before exfiltration. Files are typically staged in C:\ProgramData, C:\Windows\Temp, or user profile directories. Detection of unusual archive creation activity in these directories, particularly when correlated with subsequent large outbound data transfers, provides a reliable indicator of pre-encryption data staging.

T1566.001 — Spearphishing Attachment continues to serve as a primary initial access vector, though the payloads have evolved substantially. The shift from macro-laden Office documents (largely rendered ineffective by Microsoft's default macro blocking) to ISO/IMG containers, OneNote files with embedded scripts, and HTML smuggling payloads reflects ongoing adaptation to defensive measures. In 2024, Dark Angel observed increasing use of SVG file attachments containing embedded JavaScript that executes upon opening, a technique that bypasses many email gateway inspections.

T1078 — Valid Accounts is observed in approximately 30% of incidents and is directly linked to the growth of the infostealer ecosystem. Compromised VPN, RDP, and Citrix credentials purchased from IABs or harvested from stealer logs provide ransomware operators with authenticated access that bypasses perimeter security controls. Multi-factor authentication (MFA) bypass through session token theft, MFA fatigue attacks (repeated push notifications), and AiTM (Adversary-in-the-Middle) phishing kits such as EvilProxy and Tycoon 2FA has become a standard capability for sophisticated affiliates.

T1105 — Ingress Tool Transfer encompasses the deployment of post-exploitation frameworks and utilities following initial access. Cobalt Strike remains the most commonly observed C2 framework, but Dark Angel has documented a significant increase in the use of Brute Ratel C4, Sliver, and Havoc Framework—open-source or commercially available alternatives that generate fewer EDR detections. Additionally, groups increasingly abuse legitimate remote monitoring and management (RMM) tools such as AnyDesk, ConnectWise ScreenConnect (exploiting CVE-2024-1709), and Splashtop to maintain persistent access.

T1059 — Command and Scripting Interpreter is observed across all ransomware operations. PowerShell remains the dominant execution engine, used for reconnaissance, credential harvesting, lateral movement, and security tool disabling. Ransomware groups commonly execute encoded PowerShell commands to disable Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true), delete event logs, and deploy the ransomware payload. Increasing use of Python-based tooling and compiled .NET assemblies has also been documented.

T1021 — Remote Services facilitates lateral movement once initial access is established. RDP (port 3389) remains the most abused protocol, with operators using harvested credentials or pass-the-hash attacks to move between systems. SMB-based lateral movement using PsExec, WMIC, or similar tools is equally prevalent. Dark Angel notes that ransomware operators increasingly target administrative interfaces for VMware vCenter, Veeam Backup & Replication, and Active Directory Certificate Services (AD CS) to maximize the blast radius of their operations.

Defensive Recommendations

Based on Dark Angel's analysis of the 2024 ransomware landscape, we recommend the following prioritized defensive measures. These recommendations are ordered by estimated risk reduction impact and are designed to address the specific TTPs documented in this report.

1. Patch edge devices within 72 hours of critical CVE disclosure. Exploitation of public-facing VPN appliances and edge devices is the single largest initial access vector. Organizations must maintain a near-real-time vulnerability management program for perimeter devices, with emergency patching procedures that can be executed within 24–72 hours. Prioritize Ivanti, Fortinet, Citrix, and Palo Alto devices.
2. Deploy phishing-resistant MFA universally. FIDO2/WebAuthn hardware keys or passkeys should replace push-based and SMS-based MFA for all remote access services, VPN connections, and privileged accounts. Session token theft and AiTM phishing have rendered traditional MFA insufficient against sophisticated ransomware affiliates.
3. Implement network segmentation with explicit micro-segmentation for critical assets. Ransomware operators consistently exploit flat network architectures to move from initial compromise to domain-wide encryption. Segment Active Directory infrastructure, backup systems (particularly Veeam and Commvault), and hypervisor management interfaces (vCenter, ESXi) into isolated network zones with explicit access controls.
4. Monitor for exfiltration indicators. Given that 92% of ransomware incidents now involve data exfiltration, organizations should deploy data loss prevention (DLP) monitoring on egress points, alert on bulk archive creation (7z, RAR) in staging directories, and monitor for anomalous outbound data volumes to cloud storage services (Mega.nz, file.io, transfer.sh).
5. Maintain immutable, offline backups with tested recovery procedures. Backup infrastructure is consistently targeted by ransomware operators. Ensure that at least one backup copy is stored offline (air-gapped) or in immutable cloud storage with retention locks that cannot be modified by compromised administrative credentials. Test full-environment recovery procedures quarterly.
6. Harden Active Directory and credential infrastructure. Implement tiered administration models, restrict Domain Admin usage, deploy LAPS (Local Administrator Password Solution) or its cloud equivalent, and monitor for anomalous Kerberos ticket requests (Kerberoasting) and NTLM relay attacks. Regularly audit Group Policy Objects for unauthorized modifications.
7. Establish pre-arranged incident response retainers. Given compressed dwell times, organizations without internal incident response capability should maintain retainer agreements with qualified IR firms. Pre-established relationships, scoping documents, and legal frameworks reduce time-to-containment during active incidents.

Methodology

This report is based on data collected and analyzed by Dark Angel's threat intelligence research team across the following sources and timeframes.

Data Leak Site Monitoring: Continuous automated and manual monitoring of 47 active ransomware data leak sites on Tor throughout 2024. Victim counts are based on unique organizational entities posted to DLS, deduplicated across groups. Organizations posted by multiple groups are counted once and attributed to the primary operator based on payload analysis and infrastructure correlation.

Incident Response Data: Analysis of 380 ransomware engagements conducted by Dark Angel and partner firms between January and December 2024. Incident data includes initial access vector identification, dwell time calculation, tools and techniques observed, and ransom demand amounts where available. All organizational data has been anonymized.

Underground Forum Intelligence: Monitoring of Russian-language cybercriminal forums (XSS, Exploit, RAMP) and Telegram channels for IAB listings, affiliate recruitment, and operational discussions. Pricing data for initial access is derived from forum listings and does not reflect negotiated transaction values.

Technical Analysis: Malware reverse engineering, infrastructure analysis (domain registration patterns, hosting providers, SSL certificate fingerprinting), and cryptocurrency tracing conducted by Dark Angel's technical intelligence team.

Confidence Assessment: Data points presented in this report are assigned confidence levels using the Admiralty system. Statistics derived from DLS monitoring carry high confidence. Financial figures (ransom payments, demand averages) carry moderate confidence due to limited visibility into privately negotiated settlements. Forward-looking assessments carry low-to-moderate confidence and are presented as analytical judgments.

Related Reports

• LockBit: A Complete Threat Intelligence Profile — Full dossier covering LockBit's history, infrastructure, affiliate model, and post-Operation Cronos status.
• Ransomware-as-a-Service: The Business Model Behind Modern Extortion — Analysis of RaaS economics, affiliate programs, and profit-sharing models.
• Double Extortion: From Data Theft to Leak Site Publication — Lifecycle analysis of double extortion operations.
• Ransomware Attack Chains: A MITRE ATT&CK Analysis — End-to-end kill chain mapping with detection opportunities.