In the first half of 2025, the average ransom payment in global ransomware attacks reached $841,000, according to data from Coveware by Veeam. Quarter over quarter, the median payment doubled. Cybercriminals most often targeted companies in professional services (including legal and accounting firms), as well as healthcare institutions and public administration. Nearly 66% of all analyzed attacks hit businesses employing between a dozen and 1,000 staff. Social engineering is increasingly becoming the primary method of deceiving employees to gain access to corporate IT systems.
A Fragmented Cybercrime Landscape
Between January and June 2025, the global cyberthreat landscape remained fragmented, with growing uncertainty about the future direction of ransomware groups. Successful law enforcement operations in recent years have dismantled many large hacker organizations. Their place is increasingly taken by independent operators, or so-called lone wolves, who employ simpler and harder-to-detect manipulation methods.
The Ransomware-as-a-Service (RaaS) model—based on providing ready-made ransomware tools to other hackers—is losing importance. Declining profits, higher risks of exposure, and internal conflicts and scams among partners are undermining this business model.
Smaller Companies in the Crosshairs
Two out of three security incidents in the first half of 2025 involved firms with 11 to 1,000 employees. Quarter by quarter, there is also a gradual rise in attacks against microbusinesses with up to 10 employees—these accounted for 4% of victims in Q2. At the other end of the spectrum, the largest corporations with over 25,000 employees were victims in just 8% of incidents.
This low percentage likely reflects the fact that big organizations typically have more mature cybersecurity programs and larger defense budgets. However, the growing involvement of state-sponsored groups could reverse this trend. For such actors, large companies are attractive not only for potential financial gain but also because of the strategic value of their data and their ability to disrupt entire economies.
Ransomware Targets Specific Sectors
Hackers no longer choose victims randomly. Industry plays an increasingly important role. In the first half of 2025, the top three targeted sectors were:
- Professional services (17%), including law firms, accounting, and consulting companies,
- Healthcare (15%),
- Public administration (11%).
These sectors share a common trait: they process sensitive data and often have obligations to maintain uninterrupted operations. Even short business or operational disruptions create strong pressure to comply with criminals’ demands.
From File Encryption to Data Theft
File encryption was present in nearly 90% of ransomware incidents analyzed by Coveware by Veeam. However, it increasingly serves only as an additional layer of pressure rather than the main objective. In nearly three out of four cases, the primary tool of extortion was data theft and the threat of public release.
In 63% of incidents, attackers took over more elements of company IT infrastructure, while in half of all cases they actively tried to bypass protections—disabling security systems or hiding their presence. A notable trend is manipulation of backup systems: hackers alter update schedules or delete selected backups so that recovery problems surface only when the company tries to restore normal operations.
An Attack Starts with an Innocent Call
One of the strongest trends in early 2025 was the surge in attacks based on social engineering, i.e., manipulating employees to gain access to company systems. Two scenarios dominated:
- Impersonating an employee to trick IT support into granting account access or additional privileges.
- Pretending to be IT staff and convincing workers to install remote-access software, allowing attackers to seize control of the victim’s device.
Until recently, such techniques were mostly used by English-speaking groups with the language skills to conduct convincing conversations. Today, they are spreading globally, becoming a core tactic in cybercriminals’ arsenal.
Education and Resilience Drills
As cyberattacks increasingly target people rather than infrastructure, companies must strengthen resilience not only through technology but also through procedures and employee awareness. Investment in education is crucial—from training staff to recognize manipulation, to regular “resilience drills” modeled on fire drills, where employees practice responding to potential incidents.
Equally important is testing various attack scenarios in practice to prepare organizations for crisis situations before they occur.
Author: Tomasz Krajewski, Technical Sales Director for Eastern Europe at Veeam
Source: CEO.com.pl
