Kaspersky “State of Ransomware Report – 2025”: Global and Regional Insights for International Anti-Ransomware Day

Ahead of International Anti-Ransomware Day on May 12, Kaspersky unveils its annual report on the global and regional ransomware threat landscape. This day aims to raise global awareness about the dangers of ransomware and to promote best practices for prevention and response.

According to data from the Kaspersky Security Network, the Middle East, APAC (Asia-Pacific), and Africa are the regions with the highest percentages of users affected by ransomware, while Latin America, the CIS (Commonwealth of Independent States), and Europe show lower rates. Globally, the share of ransomware victims increased by 0.02 percentage points between 2023 and 2024, reaching 0.44%. Although seemingly minor, this percentage is typical of ransomware attacks, which tend to target high-value victims rather than spread widely, resulting in fewer overall incidents.

In the Middle East and Asia-Pacific, ransomware affected a larger proportion of users due to accelerated digital transformation, an expanding attack surface, and varying levels of cybersecurity maturity. In APAC, large enterprises were primarily targeted, especially infrastructure and operational technologies in growing economies with newly adopted data protection laws.

In Africa, ransomware is less prevalent due to lower levels of digitalization and economic constraints that reduce the number of high-value targets. However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are rising, particularly in manufacturing, financial, and government sectors. Limited cybersecurity awareness and resources leave many organizations vulnerable, though the smaller attack surface means the region still lags behind the most impacted areas globally.

Latin America also faces ransomware threats, particularly in Brazil, Argentina, Chile, and Mexico. Manufacturing, government, and agricultural sectors, as well as critical areas like energy and retail, are often targeted. Nevertheless, economic constraints and lower ransom values can deter some attackers. Still, increasing digitalization across the region is leading to greater exposure to such threats.

Europe remains a consistent target for ransomware attacks but benefits from robust cybersecurity frameworks and regulations that dissuade many threat actors. Sectors such as manufacturing, agriculture, and education are frequently targeted. However, Europe’s mature incident response capabilities and high awareness levels help limit the scope of attacks. Thanks to its diversified economies and stronger defenses, the region is less attractive to ransomware groups compared to rapidly digitalizing areas with weaker security postures.

AI-driven tools are being increasingly used in ransomware development, as shown by the emergence of the FunkSec group at the end of 2024. This group quickly rose to prominence, surpassing established names like Cl0p and RansomHub, and claimed numerous attacks in December alone. Operating under the Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics—encrypting and exfiltrating data—and targets public administration, technology, finance, and education sectors in Europe and Asia. What sets them apart is their heavy reliance on AI tools: their ransomware code includes AI-generated code with flawless annotations, likely produced by large language models (LLMs), which streamlines development and evades detection. Unlike most ransomware groups that demand millions in ransom, FunkSec adopts a high-volume, low-cost approach, seeking unusually low ransoms—a strategy that further emphasizes their innovative use of AI to optimize operations.

The RaaS model continues to be the dominant structure for launching ransomware attacks, accelerating their spread by lowering the technical barrier for cybercriminals. In 2024, RaaS platforms like RansomHub thrived, offering malware, technical support, and affiliate programs that share ransom proceeds. This model enables less-experienced actors to carry out sophisticated attacks, contributing to the rise of many new ransomware groups throughout the year.

In 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities. For example, the Akira group used a webcam to bypass endpoint detection and response (EDR) systems and infiltrate internal networks. Attackers are increasingly targeting overlooked entry points such as IoT devices, smart appliances, or misconfigured hardware in workplace environments—taking advantage of the larger attack surface created by interconnected systems. As organizations strengthen traditional defenses, cybercriminals will refine their tactics, focusing on stealth and lateral movement within networks to deliver more precise ransomware attacks—making detection and timely response significantly harder.

The proliferation of large language models (LLMs) tailored for cybercrime will further amplify the scale and impact of ransomware. LLMs sold on the dark web lower the technical threshold for creating malware, phishing campaigns, and social engineering attacks, enabling even novice actors to create highly convincing traps or automate ransomware distribution. As innovative concepts like Robotic Process Automation (RPA) and Low-Code platforms—offering AI-assisted, intuitive visual interfaces for rapid software development—become more widely adopted, ransomware developers are expected to leverage these tools to automate attacks and write new malware code, further escalating the ransomware threat.

“Ransomware remains one of the most urgent cyber threats facing organizations today, with attackers targeting businesses of all sizes and across all regions. Our report highlights a concerning shift toward exploiting overlooked entry points—including IoT devices, smart appliances, and misconfigured or outdated office hardware. These weak spots are often unmonitored, making them ideal targets for cybercriminals,” says Marc Rivero, Lead Security Researcher at Kaspersky’s GReAT team.

“To stay protected, organizations need a layered defense approach: updated systems, network segmentation, real-time monitoring, strong backups, and ongoing user education. Awareness at all levels is just as crucial as investing in the right technology.”

Read the full report on Securelist.com for more detailed insights into 2025 ransomware trends.

• Enable ransomware protection on all endpoints. Kaspersky offers a free Anti-Ransomware Tool for Business that safeguards PCs and servers from ransomware and other malware, prevents vulnerability exploitation, and is compatible with existing security solutions.

• Keep software up to date on all devices to prevent attackers from exploiting known vulnerabilities.

• Focus your defense strategy on detecting lateral movement and data exfiltration to the internet. Pay close attention to outbound traffic to spot connections from cybercriminals to your network. Configure offline backups that intruders cannot alter and ensure fast access to them when needed.

• Deploy anti-APT and EDR solutions, activating capabilities for threat detection, investigation, and timely remediation. Provide your SOC team with the latest threat intelligence and professional training—available through Kaspersky Expert Security.

• Leverage up-to-date Threat Intelligence to stay informed on the tactics, techniques, and procedures (TTPs) used by threat actors.

• Use Kaspersky Next solutions to protect against a broad range of threats. These products offer real-time protection, threat visibility, and EDR/XDR capabilities tailored to organizations of any size and industry. Depending on your needs and resources, choose the most suitable product with the flexibility to scale as your cybersecurity requirements evolve.