Veeam recently released its annual ransomware report to raise awareness of the modern ransomware crisis and share knowledge on how threat actors target their victims. This latest report highlights the top 6 ransomware trends observed this year and offers insights into its expected evolution.
In this report, Veeam surveyed IT leaders, Chief Information Security Officers (CISOs), and security professionals in 1,300 organizations around the world to see how they recovered from cyber-attacks.
The purpose of this blog is to summarize Veeam's 18-page report into a short analysis of each of the six trends highlighted, key success factors for how organizations successfully recovered from cyber threats, and the positive impacts of shifting to a proactive cybersecurity stance.
The Top 6 Trends of Ransomware in 2025
#1: Law Enforcement Forces Threat Actors to Adapt
In 2024, law enforcement agencies successfully dismantled several major ransomware groups, including LockBit, BlackCat, and Black Basta. While these takedowns were a significant step forward in cyber defense, they prompted a shift in ransomware—much like a virus adapting to bypass new vaccines.
Smaller threat actors and independent cybercriminals have proliferated, increasingly targeting small and medium-sized enterprises (SMEs) with weaker defenses. Additionally, some groups have moved away from high-profile critical infrastructure attacks to avoid law enforcement scrutiny, adapting their strategies for continued operation.
#2: Data Exfiltration Attacks Grow
Ransomware actors prioritize data exfiltration as a primary tactic, with a growing number of victims paying ransoms without encryption ever occurring. This shift toward "smash and grab" attacks often exploits poorly secured cloud applications and infrastructure, and is accompanied by a rise in double extortion, where stolen data is both locked and threatened with publication.
At the same time, attackers have dramatically reduced dwell time—the period between initial compromise and attack execution—with some top ransomware groups operating within 24 hours of breaching a network. Leveraging lateral movement and targeting critical infrastructure like VMware ESXi hypervisors, these groups force victims into paying, particularly when weak cybersecurity defenses make detection and containment more difficult.
#3: Ransomware Payments Are Decreasing
Ransomware payments declined from 2023 to 2024, marking a positive shift in cyber resilience. Over a third of affected organizations refused to pay (36%), and 25% recovered their data without a ransom. Those who did pay often negotiated lower amounts, with 60% paying less than half the initial demand. And it’s worthwhile to mention that 17% of respondents still paid the ransom but never recovered their data.
Incident response experts are key contributors to these facts—companies working with Coveware by Veeam were significantly less likely to pay, reinforcing the value of proactive cybersecurity measures.
Organizations are resisting ransomware demands due to the lack of conviction that they’ll get their data back—hackers often fail to release data even after payment. To counter this, many have strengthened their incident response strategies, finding vendors that provide immutable backups to ensure data protection and recovery without paying a ransom.
#4: Emerging Legal Consequences of Ransom Payments
Increasing regulatory pressure and coordinated enforcement across jurisdictions have also contributed to the decline in ransom payments. The International Counter Ransomware Initiative (CRI) has united 68 countries in disrupting ransomware operations, with 40 members pledging to discourage organizations from paying ransoms.
“69% of organizations that paid a ransom were attacked more than once.”
—2025 Ransomware Trends & Proactive Strategies
Some governments, including the UK and two U.S. states, have enacted or proposed laws prohibiting public sector ransom payments. Additionally, the FBI warns against paying ransoms, and the U.S. Treasury has stated potential sanctions risks, reinforcing the need for organizations to evaluate the legal repercussions of paying the ransom when in crisis.
#5: Collaboration Reinforces Resilience Against Ransomware
Security teams are stretched thin due to multiple attack vectors. Improving collaboration between IT operations and security teams helps organizations strengthen their defenses since company-wide change never comes to fruition in a silo. However, 52% say major changes are needed to align these groups.
Meanwhile, technology providers are working together to share ransomware insights and offer security solutions. Reporting cyberattacks to law enforcement and industry networks also helps organizations stay ahead of threats.
#6: Budgets Rise for Security and Recovery, but More is Needed
Of organizations surveyed, 94% increased their recovery budget for 2025 and 95% increased their prevention budget. Despite increased cybersecurity and recovery budgets, organizations still face significant gaps in ransomware defenses; the need for more resources is outpacing the budget supporting it. Veeam observed that organizations tend to prioritize security over recovery—although a balance should be struck, underinvestment in either can be a potential vulnerability to threat actors.
Key Success Factors
Recovering from a ransomware attack requires swift action and a structured approach. Organizations can strengthen their recovery by acting quickly to contain the breach, prioritizing data restoration over ransom payments, and enhancing security to prevent future incidents. Effective recovery also depends on coordination across teams and continuous employee training to improve cyber awareness.
At the core of a resilient strategy is the ability to maximize data and system recovery: for example aiming for the restoration of over 80% of servers and 90% of affected data. Equally critical is improving preparedness through rigorous cybersecurity exercises, validated backup strategies, and frequent testing, especially since organizations often overestimate their readiness, with confidence dropping by an average of 20% post-attack. Emphasis on Proactivity.
Veeam urges all readers to shift from a reactive to a proactive position on cyber resilience and recovery. Put a plan together before ransomware strikes since it’s a question of when, not if. At Object First, we follow an “Assume Breach” mindset that accepts individuals, devices, and services attempting to access company resources are compromised and should not be trusted. The best way to plan for a resilient and successful recovery is to secure data repositories with immutable backups and backup verification so attackers can't modify or delete recovery files.
Veeam reports that only 32% of respondents used immutable repositories, despite 89% of organizations reporting that attackers targeted their backups. Given this persistent threat, securing backups with immutability is critical. Your true last line of defense isn't AV, IAM, IDS, EDR, or XDR—it’s a secure, immutable backup solution, and cybercriminals know it.
