May 12 marks Anti-Ransomware Day, a global awareness initiative created by INTERPOL and Kaspersky to commemorate the 2017 WannaCry outbreak. That infamous ransomware campaign crippled hundreds of thousands of systems worldwide, from UK hospitals to global logistics networks, and its modern descendants are more dangerous, stealthier and relentlessly adaptive.
While WannaCry marked a turning point, it was just the beginning of ransomware’s evolution into today’s multibillion dollar criminal enterprise. As we mark this year’s Anti-Ransomware Day, it’s time to look at how the threat has changed — and what lies ahead.
From File Lockers to Full-Blown Extortion Ecosystems
Ransomware has rapidly evolved from simplistic file encryption schemes into sophisticated, multi-stage extortion operations. The once-common approach of locking files and demanding payment for a decryption key is now often replaced — or supplemented — by data exfiltration, public shaming of the company and individual victims, even DDoS attacks and more.
According to Check Point Research, in Q1 2025, ransomware reached record-breaking levels, with 2,289 victims published on data leak sites (DLS) — a 126% year-over-year increase. This spike is not just a reflection of growing threat volume, but also of the changing tactics used by attackers.
Groups like Cl0p, now one of the most prolific actors, have largely abandoned file encryption in favor of pure data extortion. Their attack on the Cleo file transfer platform in early 2025 impacted over 300 organizations, with 83% of victims located in North America and a significant concentration in logistics and manufacturing sectors.
In future, triple extortion models – involving DDoS, public leak threats, and direct harassment of customers or partners for public shaming – are expected to become more common.
Ransomware-as-a-Service (RaaS): Lowering the Barrier to Entry
The growth of ransomware-as-a-service (RaaS) has democratized cyber crime. According to Check Point External Risk Management’s 2024 Annual Ransomware Report, in 2024 alone, 46 new ransomware groups emerged — a 48% increase in active groups compared to the previous year. These groups offer ready-made ransomware kits, customer service portals, and revenue sharing models that make it easier than ever for low-skill attackers to launch sophisticated campaigns.
One such group, RansomHub, became the most dominant ransomware group of 2024, claiming 531 victims, surpassing even LockBit. The success of RaaS means that ransomware groups are now operating like SaaS startups — agile, scalable, and dangerously efficient.
AI Enters the Chat: Smarter, Faster, Harder to Detect
Ransomware threats in 2025 are not just more frequent — they’re smarter. The use of AI-generated malware, AI-written phishing lures, and even deepfake impersonations are redefining how these attacks are carried out. Emerging groups like FunkSec are already deploying AI-generated ransomware payloads, reducing the time and skill needed to launch attacks. Another means by which AI is also being used to bypass EDR (endpoint detection and response) systems was seen when attackers used legitimate tools to disable security software during intrusions.
According to Check Point, AI-enhanced ransomware will enable criminals to scale faster, adapt quicker, and automate targeting across the supply chain. Organisations can expect 2–3 major supply chain ransomware attacks as we progress through the year, with AI playing a key role.
Fabricated Victims and Fake Leaks: The Disinformation Playbook
Modern ransomware groups are increasingly focused on psychological manipulation. Some, like Babuk-Bjorka, now publish fake or recycled victim data to exaggerate their reach and intimidate others into paying. This tactic makes it harder to track actual incidents and underscores ransomware’s shift from pure encryption to full-spectrum coercion.
At the same time, data leaks and public shaming have become primary pressure tactics. In many cases, victims first discover an attack not when their systems go down — but when stolen data appears online.
The Growing Ransomware Menace : What Organizations Must Do Now
According to Check Point External Risk Management’s ransomware report, the United States remained the most targeted country in 2024, accounting for 50.2% of all ransomware cases. The business services, manufacturing, and retail sectors were hit hardest — sectors that store sensitive data and rely heavily on uptime. In developing countries like India, ransomware attacks spiked by 38% year-over-year, driven by growing digital adoption and hybrid work environments.
As ransomware grows more agile, AI-powered, and psychologically manipulative, the traditional patch-and-backup model is no longer enough. To stay ahead, organizations must:
- Adopt zero trust architecture – Never trust, always verify. Enforce identity checks and restrict lateral movement.
- Supply chain hardening – Assess third-party risks and monitor partner networks for vulnerabilities.
- Leverage AI for defense – Just as attackers use AI, defenders must employ AI-driven threat detection and SOC co-pilots for real-time detection and prioritization.
- Prepare for data extortion – Encrypt sensitive data in transit and at rest. Assume data theft is part of every ransomware playbook.
- Invest in cyber insurance and compliance – With regulations tightening, security teams must ensure compliance frameworks are met to qualify for insurance coverage and avoid fines.
Prepare for Ransomware Attacks
The ransomware threat has matured far beyond its 2017 origins. Today, it’s not just about encrypted files — it’s about stolen data, destroyed reputations, and disrupted supply chains.
Ransomware is no longer a technology problem — it’s a business resilience issue. Leaders must treat cyber preparedness as seriously as financial health or legal compliance.
This Anti-Ransomware Day, take a moment to reflect not just on how far the threat has come — but on what you can do today to prevent becoming tomorrow’s headline.