In 2025, ransomware and digital extortion didn’t just keep pace with past years; they surged in ways that are worrying cybersecurity teams and businesses alike. According to Intel 471’s threat report, cybercriminals stepped up the pressure dramatically, with extortion-related breach events jumping about 63%, reaching roughly 6,800 incidents last year. That’s a significant leap compared with 2024 and highlights how profitable and prevalent ransomware-style extortion has become.
What makes this trend particularly troubling is how ransomware has evolved. It’s no longer just about locking up files and demanding a ransom. Today’s attacks often combine file encryption with data theft and threats to publish or sell stolen information, a tactic called double extortion. In fact, industry analysts note that these hybrid approaches have become alarmingly common, with some reports saying data-only extortion attacks climbed 23% in 2025 compared with the prior year, once they’re included in the overall extortion count.
Who’s Being Hit and How
Intel 471’s analysis, which draws on activity observed on dark web forums and threat intelligence feeds, paints a pretty clear picture of who’s feeling the pain: professional services firms, manufacturing companies, and vendors in consumer and industrial sectors reported a disproportionate number of extortion cases. Many of these breaches didn’t start with a direct attack on the final victim at all; they began with attackers compromising a smaller supplier, service provider, or managed IT vendor. This so-called supply chain attack gives criminals a backdoor into multiple downstream networks at once.
That’s dangerous because organizations often trust their partners and don’t stop to scrutinize their security. As Intel 471 researchers put it, by exploiting that trust, attackers can “bypass robust defenses and achieve a much greater impact with significantly less effort.” In plain terms: a weak link in one company can expose an entire ecosystem of clients.
The Broader Landscape
Intel 471 isn’t the only organization tracking this uptick. Other cybersecurity reports found that ransomware overall was involved in nearly 44% of all breaches in 2025, up from about 32% in 2024, and that recovery and disruption costs can reach an average of more than $5 million per incident even when no ransom is paid.
Global cost projections back this up. One survey of ransomware impact estimates around $57 billion in annual damage costs worldwide in 2025, which works out to roughly $156 million per day or $2,400 every second.
At the same time, some specialists point out that the profile of attackers is changing. As reported by TechRadar, the overall number of active ransomware groups ballooned in 2025, with more than 120 distinct gangs operating and dozens of new ones cropping up. Groups like Qilin, Scattered Spider, LAPSUS$, and ShinyHunters headline the shift toward smaller, more agile actors that run automated “ransomware-as-a-service” operations, meaning less technically skilled criminals can lease tools and attack infrastructure without building their own malware.
Response and Predictions for 2026
What’s ahead? The Intel 471 report anticipates that extortion and ransomware won’t slow down. One reason is the near-constant stream of newly disclosed software vulnerabilities, more than 40% of which were exploited by attackers in 2025 alone, according to the same research. These flaws give criminals fresh entry points into corporate networks.
But there are signs of resistance. Some organizations are pushing back against paying ransoms, and evolving legislation in several countries aims to reduce payouts. If fewer companies acquiesce to attackers’ demands, ransomware and extortion groups may have to rethink their pressure tactics, potentially preferring deeper engagement strategies like targeted social engineering, credential theft, or financial fraud.
Experts also expect automation and AI to play an increasingly complex role. While Intel 471 suggests AI will not replace traditional malware as the core threat vector, it may amplify attacks by enabling more effective phishing, voice-based social engineering, or synthetic identity misuse.
What This Means for Businesses
The bottom line is clear: ransomware and extortion are no longer fringe threats. They’re central to the modern cybercrime economy and constantly shifting. Strategies that focused solely on backup and restore are no longer sufficient; defenders must invest in vulnerability management, supply chain security, identity protection, and real-time threat hunting to stay ahead. And with the stakes so high, billions in potential losses, reputational harm, and operational disruption, companies that overlook these threats do so at their peril.
Spotify
Apple Podcasts
Podbean
YouTube