Ransomware - Trends Analysis and Threat Evolution
Ransomware trends 2022-2025 - group rebranding, extortion without encryption, Operation Cronos, RaaS fragmentation. Data from ENISA, Chainalysis, Dragos.
Łukasz Drążek 
Ransomware is no longer a problem for individual companies. In 2021-2022, the governments of many nations classified it as a national security threat. The response was multi-dimensional - from law enforcement actions, through new regulations, to the involvement of military and intelligence services. But have these efforts produced lasting results? Data from successive ENISA Threat Landscape reports (2022-2025) paints a more complex picture than a simple “attackers versus defenders” narrative.
TIP
This article covers trends from 2021 to 2025. If you are looking for the basics - what ransomware is, how it works, what variants exist - start with our ransomware guide. Best practices for prevention are covered in the article on ransomware prevention.
disclosed ransomware attacks globally in 2024
decline in ransom payments YoY ($813.55M in 2024)
active RaaS groups (ENISA/Dragos)
average time for a ransomware group to rebrand
Sources: Cyberint 2024, Chainalysis 2025, ENISA ETL 2025, Dragos 2026
Ransomware Groups in Law Enforcement Crosshairs
The intensification of law enforcement efforts in 2021-2024 produced tangible results. Several ransomware groups were forced to cease operations, and some even released decryption keys. International cooperation led to arrests of members from groups including REvil, Cl0p, NetWalker, LockerGoga, and MegaCortex.
Pivotal events:
- US military involvement - public reports indicate active US Cyber Command operations against ransomware group infrastructure
- REvil member arrests by FSB - Russia’s Federal Security Service conducted an operation that may have been motivated by geopolitical objectives
- White House initiative - coordination of the international response to ransomware (with the deliberate exclusion of Russia)
- Legal regulations - a ransom disclosure law requiring victims to inform the US government within 48 hours of payment
- Operation Cronos (February 2024) - an international operation led by the NCA that resulted in the seizure of LockBit infrastructure, identification of 188 affiliates, and securing of 2,200 BTC (approximately $112 million) in illicitly obtained funds
These actions force criminal groups to change their modus operandi - increasing operational security, changing their name, and sometimes shifting focus to smaller targets.
The Brand Carousel - a Survival Strategy
High-profile incidents such as the Colonial Pipeline attack led to unprecedented pressure on ransomware groups. In response, many adopted a strategy of “retiring” and rebranding. The average time for such a rebrand is approximately 17 months.
The reasons are pragmatic:
| Motivation | Example | Effect on Law Enforcement |
|---|---|---|
| Threat to tools/infrastructure | Publication of a decryption tool forces reorganization | Requires fresh technical analysis |
| Evading law enforcement scrutiny | Reducing visibility after a high-profile incident | Loss of operational context |
| Hindering attribution | Victims pay someone not subject to sanctions | Complicates legal proceedings |
| Internal conflicts | Reorganization allows resolution of tensions within the group | Potential informants |
Documented Rebranding Cases
- DoppelPaymer - continued operations as the Grief ransomware
- WastedLocker - cycled through the names Hades, Cryptolocker, Payloadbin, Macaw (spring-fall 2021)
- DarkSide - following the Colonial Pipeline attack, became BlackMatter, then BlackCat/ALPHV (confirmed February 2022)
- GandCrab - transformed into REvil, changing identity and operational strategies
- LockBit - after Operation Cronos (2024), returned as LockBit 4.0, then LockBit 5.0 (“ChuongDong”) in September 2025
During 2021-2022, families such as Egregor, REvil, BlackMatter, and DoppelPaymer disappeared from the cybercrime landscape. At the same time, new ones emerged, often exhibiting technical similarities to those that had “retired.”
Ransomware by the Numbers - 2022 vs 2024
| Metric | 2022 (ENISA ETL 2022) | 2024 (ENISA ETL 2025) |
|---|---|---|
| Disclosed ransomware attacks globally | approx. 3,640 | 5,414 |
| FBI IC3 complaints | approx. 2,385 | 3,156 (+11.7% YoY) |
| Losses reported to IC3 | $34.3M | $12.4M (note: lower due to decline in ransom payments) |
| Active RaaS groups | approx. 30 | 85 distinct operations (ENISA); 119 targeting industry (Dragos) |
| Decline in ransom payments (YoY) | - | -35% in 2024 |
NOTE
The difference in group counts (85 per ENISA vs 119 per Dragos) stems from methodology: ENISA counts global RaaS operations, while Dragos tracks groups specifically targeting industrial organizations (including affiliates operating under different brands). Both figures are correct - they measure different things.
WARNING
The decline in ransom payments in 2024 does not mean a decline in the number of attacks. Quite the opposite - the number of incidents is rising, but organizations are increasingly refusing to pay, and law enforcement is more effectively recovering funds.
Data Exfiltration and Extortion Without Encryption
Since 2021, multi-extortion has become a clear trend. Ransomware groups began to realize that data theft alone could suffice to obtain a ransom - without the need to encrypt the victim’s systems.
This model operates on several levels:
- Data theft - exfiltration of sensitive information before any encryption
- Publication threats - dedicated Tor sites for publishing stolen data
- Leveraging insurance policies - groups such as LAPSUS$ and Karakurt reference the victim’s cyber insurance policy during negotiations
- Dedicated marketplaces - emergence of platforms for selling stolen data
Hacktivism as a new ransomware distribution channel is a trend visible since 2024. Groups such as CyberVolk, operating in Russian interests, began promoting and distributing multiple ransomware strains (AzzaSec, HexaLocker, Parano), combining ideological and financial motivations.
What This Means for Organizations
Solid backup strategies are necessary but insufficient. Organizations must also implement security controls focused on detecting and preventing data exfiltration - in line with the tactics described in MITRE ATT&CK (TA0010 Exfiltration).
Minimum Protection Checklist:
- Outbound network traffic monitoring (DLP, NetFlow analysis)
- Network segmentation to limit lateral movement
- Monitoring of large data transfers to external services
- Access controls for sensitive data repositories
- Regular incident response exercises
- Review and update of data access policies
- Implementation of the principle of least privilege for accounts with remote access
- Dark web monitoring for leaked credentials
Future Outlook
Ransomware remains one of the most serious threats to organizations and national security. Data from ENISA reports (2022-2025) points to several persistent trends:
- Ecosystem fragmentation - following Operation Cronos, the ransomware ecosystem split into dozens of smaller groups (85-119 depending on methodology), including many entirely new ones
- Law enforcement actions are producing results (35% decline in ransom payments), but are not eliminating the problem
- Hacktivism is merging with ransomware - ideologically motivated groups are adopting ransomware as a funding source
- The extortion-without-encryption model is gaining popularity
- Ransomware is increasingly a tool of state actors, not just criminal groups
Organizations that want to effectively protect themselves against ransomware should treat this threat as a business problem requiring a comprehensive approach - from technical security controls, through incident response procedures, to regular team exercises. SEQRED helps organizations assess ransomware resilience through penetration testing and attack simulations.
Sources:
Need help in this area?
Our experts will help you assess the risk and plan next steps.