(Moscow, 9th) In line with the upcoming "International Anti-Ransomware Day" (May 12), Kaspersky released the 2025 annual "Ransomware Status Report" on May 7, providing an in-depth analysis of global and regional ransomware threat trends, and calling on all sectors to raise awareness of preventing and responding to ransomware attacks.
According to data from Kaspersky Security Network, the global proportion of users attacked by ransomware increased by 0.02 percentage points from 2023 to 2024, reaching 0.44%. Although the proportion seems low, it remains highly alarming as ransomware attacks typically target high-value targets and are not spread on a large scale.
The data shows that users in the Middle East, Asia-Pacific, and Africa have the highest proportion of ransomware attacks, with the Middle East at 0.72%, Asia-Pacific at 0.60%, global average at 0.44%, Africa at 0.41%, Latin America at 0.33%, Commonwealth of Independent States (CIS) at 0.32%, and Europe at 0.28%.
Kaspersky pointed out that the Asia-Pacific and Middle East regions have become major hotspots for ransomware attacks due to rapid digital transformation, wide attack surface, and uneven network security maturity. The issue is particularly severe in emerging economies where infrastructure and operational technology frequently suffer attacks.
Although Africa has a lower degree of digitalization, limiting attack targets, the trend of attacks is rising with countries like South Africa and Nigeria accelerating the development of the digital economy, and where manufacturing, financial, and government departments become emerging attack targets. Many institutions continue to be exposed to risks due to insufficient network security awareness and resources.
Major victim countries in Latin America include Brazil, Argentina, Chile, and Mexico. Attacks are concentrated mainly in key areas such as manufacturing, government, agriculture, energy, and retail. Although attackers are limited by the regional economic scale and lower ransom amounts, the overall exposure is increased by regional digital development.
In the CIS, the proportion of attacks is relatively low, but radical groups like Head Mare and Twelve frequently use ransomware such as LockBit 3.0 to carry out destructive attacks in manufacturing, government, and retail sectors. Uneven network security development further complicates this region's risks.
Europe, while continuously facing ransomware threats, contains the attack scale due to its sound network security system, complete regulations, and higher response capability. Manufacturing, agriculture, and education sectors remain common attack targets.
AI, RaaS, and IoT become emerging threat focuses
Kaspersky noted that ransomware attack tactics continue to evolve in 2025, with major trends including: AI-driven attacks: Emerging ransomware group FunkSec rapidly rose at the end of 2024, adopting AI-generated code, automated deployment, and double extortion (encryption + data leakage), causing severe impacts in various industries (government, technology, finance, education) in Europe and Asia. Their strategy of low ransom and high attack volume shows AI is being widely used to optimize attack efficiency.
Prevalence of Ransomware-as-a-Service (RaaS) models: Platforms like RansomHub providing malware, technical support, and profit-sharing mechanisms enable low-skilled individuals to carry out highly complex attacks, leading to the emergence of several new attack groups in 2024.
Using non-traditional entry points: Groups like Akira bypass security defenses through webcams, predicting more future attacks focused on IoT devices, smart appliances, and misconfigured hardware devices. Attackers also increasingly prefer stealthy reconnaissance and lateral movement for precise ransomware deployment, enhancing concealment and impact.
Combination of Generative AI with LowCode and RPA: These tools are being used to write malicious code and automate attack deployments, enabling attackers lacking professional skills to quickly develop and launch ransomware attacks.
Kaspersky's Chief Security Researcher for Middle East, Turkey, and Africa, Maher Yamout, warned: "Many businesses are not yet aware that IoT devices, smart terminals, and outdated equipment often become entry points for attackers. Besides investing in technology, organizations must establish multi-layer defense, real-time monitoring, data backup, and strengthen employee cybersecurity awareness."
Kaspersky recommends enterprises follow these best practices against ransomware: Enable ransomware protection for all endpoints: Kaspersky offers free tools like Kaspersky Anti-Ransomware Tool for Business, compatible with existing protection systems.
Ensure all device software is updated: To prevent attackers from exploiting vulnerabilities.
Strengthen network perimeter defense: Especially monitoring abnormal outbound traffic, setting up offline backup systems to ensure quick recovery in emergencies.
Deploy APT protection and EDR systems: For threat detection, traceability analysis, and incident response. Ensure the security operations center (SOC) team has the latest threat intelligence and continuous training.
Utilize Kaspersky Next product line: Provides real-time protection, threat visualization, EDR/XDR capabilities based on organizational needs, suitable for various scales and industries.
Constantly monitor the latest cybersecurity threat trends: To adjust defense strategies according to opponent tactics, techniques, and procedures (TTPs).
The full report can be viewed at Securelist.com.
According to data from Kaspersky Security Network, the global proportion of users attacked by ransomware increased by 0.02 percentage points from 2023 to 2024, reaching 0.44%. Although the proportion seems low, it remains highly alarming as ransomware attacks typically target high-value targets and are not spread on a large scale.
The data shows that users in the Middle East, Asia-Pacific, and Africa have the highest proportion of ransomware attacks, with the Middle East at 0.72%, Asia-Pacific at 0.60%, global average at 0.44%, Africa at 0.41%, Latin America at 0.33%, Commonwealth of Independent States (CIS) at 0.32%, and Europe at 0.28%.
Kaspersky pointed out that the Asia-Pacific and Middle East regions have become major hotspots for ransomware attacks due to rapid digital transformation, wide attack surface, and uneven network security maturity. The issue is particularly severe in emerging economies where infrastructure and operational technology frequently suffer attacks.
Although Africa has a lower degree of digitalization, limiting attack targets, the trend of attacks is rising with countries like South Africa and Nigeria accelerating the development of the digital economy, and where manufacturing, financial, and government departments become emerging attack targets. Many institutions continue to be exposed to risks due to insufficient network security awareness and resources.
Major victim countries in Latin America include Brazil, Argentina, Chile, and Mexico. Attacks are concentrated mainly in key areas such as manufacturing, government, agriculture, energy, and retail. Although attackers are limited by the regional economic scale and lower ransom amounts, the overall exposure is increased by regional digital development.
In the CIS, the proportion of attacks is relatively low, but radical groups like Head Mare and Twelve frequently use ransomware such as LockBit 3.0 to carry out destructive attacks in manufacturing, government, and retail sectors. Uneven network security development further complicates this region's risks.
Europe, while continuously facing ransomware threats, contains the attack scale due to its sound network security system, complete regulations, and higher response capability. Manufacturing, agriculture, and education sectors remain common attack targets.
AI, RaaS, and IoT become emerging threat focuses
Kaspersky noted that ransomware attack tactics continue to evolve in 2025, with major trends including: AI-driven attacks: Emerging ransomware group FunkSec rapidly rose at the end of 2024, adopting AI-generated code, automated deployment, and double extortion (encryption + data leakage), causing severe impacts in various industries (government, technology, finance, education) in Europe and Asia. Their strategy of low ransom and high attack volume shows AI is being widely used to optimize attack efficiency.
Prevalence of Ransomware-as-a-Service (RaaS) models: Platforms like RansomHub providing malware, technical support, and profit-sharing mechanisms enable low-skilled individuals to carry out highly complex attacks, leading to the emergence of several new attack groups in 2024.
Using non-traditional entry points: Groups like Akira bypass security defenses through webcams, predicting more future attacks focused on IoT devices, smart appliances, and misconfigured hardware devices. Attackers also increasingly prefer stealthy reconnaissance and lateral movement for precise ransomware deployment, enhancing concealment and impact.
Combination of Generative AI with LowCode and RPA: These tools are being used to write malicious code and automate attack deployments, enabling attackers lacking professional skills to quickly develop and launch ransomware attacks.
Kaspersky's Chief Security Researcher for Middle East, Turkey, and Africa, Maher Yamout, warned: "Many businesses are not yet aware that IoT devices, smart terminals, and outdated equipment often become entry points for attackers. Besides investing in technology, organizations must establish multi-layer defense, real-time monitoring, data backup, and strengthen employee cybersecurity awareness."
Kaspersky recommends enterprises follow these best practices against ransomware: Enable ransomware protection for all endpoints: Kaspersky offers free tools like Kaspersky Anti-Ransomware Tool for Business, compatible with existing protection systems.
Ensure all device software is updated: To prevent attackers from exploiting vulnerabilities.
Strengthen network perimeter defense: Especially monitoring abnormal outbound traffic, setting up offline backup systems to ensure quick recovery in emergencies.
Deploy APT protection and EDR systems: For threat detection, traceability analysis, and incident response. Ensure the security operations center (SOC) team has the latest threat intelligence and continuous training.
Utilize Kaspersky Next product line: Provides real-time protection, threat visualization, EDR/XDR capabilities based on organizational needs, suitable for various scales and industries.
Constantly monitor the latest cybersecurity threat trends: To adjust defense strategies according to opponent tactics, techniques, and procedures (TTPs).
The full report can be viewed at Securelist.com.