Google: ransomware profits are decreasing, but criminals are adapting to the new reality

Google experts analyzed data from ransomware incidents that Mandiant responded to in 2025 and concluded that overall profits from such operations are in decline. This trend stems from organizations improving their apabilities to recover and from law enforcement takedowns or internal conflicts that disrupted previously active groups.

Still, threat actors are adapting to shrinking revenues. Below are the key 2025 trends, and the article provides details on the tactics and techniques observed in attacks targeting organizations across the Asia-Pacific region, Europe, and the Americas.

📌 In one-third of ransomware incidents, initial access was gained through exploitation of vulnerabilities in network perimeter devices, while phishing accounted for only 6% of cases. Exploits offer a faster and more reliable entry point—especially important as profitability declines.

📌 Whereas data encryption used to be the primary means of extortion, in 2025 data exfiltration was observed in 77% of attacks (up from 57% in 2024). This indicates that encryption is losing effectiveness as leverage: backups enable recovery, but the exposure of confidential data creates risks that cannot be easily mitigated afterward.

📌 In 43% of 2025 cases, attackers targeted virtualization infrastructure (up from 29% in 2024). Many of these attacks were partially automated — previously uncommon for such environments. This approach maximizes impact, as compromising a hypervisor allows simultaneous disruption of multiple virtual hosts.

Researchers note that declining profits may push threat actors to shift from large enterprises to smaller targets, use more aggressive extortion tactics, and further monetize existing access — for example, by collaborating with access brokers.

Falling profits and rising competition in the ransomware market are forcing attackers to scale their operations and seek new monetization models. As a result, even robust backup infrastructure no longer guarantees full protection against criminals adapting to a rapidly changing environment. This underscores the need for a comprehensive approach to infrastructure hardening; detailed recommendations are available here.

💬 Discuss