Ransomware continued to cause financial damage throughout Q1 2025 

Ransomware remains a significant threat, wreaking havoc across both the public and private industry sectors globally. Criminal organisations are using it to encrypt their targets’ data, making it inaccessible unless a decryption key is obtained via the ransom.   

The escalating threat landscape  

As we highlighted in our Global Cyber Risk 2025 Report, ransomware groups have the potential to severely disrupt the operations of businesses worldwide based on their unrelenting targeting behaviour and the resulting huge financial impacts. These criminal actors employ a variety of extortion tactics to pressure their victims into paying a ransom:  

• Single extortion: This can involve restricting access to the data via encryption

• Double extortion: Exfiltrating the data and then threatening to publicly release

• Triple and quadruple extortion: Ramping up the pressure by launching distributed denial-of-service (DDoS) attacks or extorting third parties impacted by the stolen data.  

To add to the chaos, we’ve noticed ransomware actors are now demanding higher initial ransom amounts on average compared to previous periods. This trend indicates a growing aggressiveness among cybercriminals, further emphasising the need for robust defensive measures.  You can browse or large collection of malware reports and threat actor profiles on our website.

Quorum Cyber Threat Intelligence ransomware statistics 

Based on our interaction with ransomware actors throughout Q1 2025, we have found that the average initial ransom demand has increased by approximately 59% compared to the 2024 average: 

• 2024 total average (across 12 months): US$1,136,462 (£862,547) 

• Q1 2025 average (January-March): US$1,815,666 (£1,408,798) 

• Q1 2025 average (January-March): US$1,815,666 (£1,408,798). 

* Only initial ransom demands between US$10,000 and US$10,000,000 have been reported to remove data outliers

**US Dollar to Pound Sterling conversion based on global exchange rate as of 14th April 2025 

Why is the average initial ransom demand increasing? 

During 2024, ransom payments decreased by 35% from 2023. There is a realistic possibility that the increase in initial demand seen in Q1 2025 is the threat actor’s response in trying to maintain high levels of profitability. This increase in initial ransom demand could also be driven by competing gangs seeking to ensure that their offerings are more lucrative for affiliate partners compared to alternative options, whilst enhancing their reputation within the cybercrime underworld. 

How to defend your organisation against ransomware  

Ransomware operators use several different methods to access their targets. Two of the main forms of infiltration involve exploiting vulnerabilities found in software products as well as abusing leaked credentials from the dark web:

• Vulnerability exploitation: To remain a step ahead of ransomware actors exploiting vulnerabilities, we recommend that organisations maintain a strong, intelligence-led patching policy that prioritises vulnerabilities that are under active exploitation or those that have a published proof of exploit

• Dark web monitoring: Organisations should invest in dark web monitoring solutions to identify any leaked credentials before they can be used in an attempted attack. 

Additional security best-practices include: 

• Offline, encrypted backups: Maintaining offline, encrypted backups of critical data to ensure data recovery without paying ransom

• Zero-trust architecture: Implementing a zero-trust architecture to prevent unauthorised access to data and services

• Endpoint Detection and Response (EDR): Invest in an EDR solution, such as the Microsoft Defender suite, to block ransomware attempts in the early stages of an attack.  

By taking these proactive steps, you can significantly enhance your organisation’s resilience against ransomware threats. Stay informed about the latest trends and continuously adapt your cyber security strategies to defend against the ever-evolving tactics of cybercriminals.  

For more detailed insights and recommendations, be sure to check out our comprehensive Global Cyber Risk 2025 Report and explore or comprehensive range of managed services. 

Does your organisation need help? 

For an emergency requiring urgent assistance, please call our Emergency Incident Response team on 0800 029 1305 (UK) or +1 888 346 0166 (US). 

If you need support to defend your organisation against the growing threat of ransomware, reach out to our expert team to discuss how we can support you. Our Cyber Security Incident Response (CSIR) is approved by CREST, an international not-for-profit accreditation and certification membership body that represents the global cyber security industry. Worldwide, only a small number of cyber security providers have achieved this accreditation, which is fully endorsed by GCHQ and CPNI, highlighting Quorum Cyber’s commitment to continuous improvement of standards and quality of service.  

Contact us today to learn more about how we can help safeguard your organisation.