Ransomware Attacks Rise Again: What’s Fueling the Surge?

In 2025, the number of ransomware attacks is climbing again after a brief decline, with Lockbit, Hiveleaks, and BlackBasta leading the charge. According to NCC Group, which actively monitors leak sites to collect attack data, Lockbit alone executed 62 attacks in July. This represents a staggering 440% increase for Hiveleaks and a 50% increase for BlackBasta since June.

Why are we seeing such a rapid rise in ransomware incidents, and what should organizations do to protect themselves?

What Does the Law Say About Ransomware?

Ransomware attacks are increasingly being addressed through specific laws and regulations, which differ across jurisdictions but generally classify such acts as serious cybercrimes. In the United States, for example, ransomware is prosecuted under federal laws like the Computer Fraud and Abuse Act (CFAA), which criminalizes unauthorized access to computer systems, and the Wire Fraud Statute, which covers schemes involving electronic communications. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) also warns that making ransom payments to sanctioned entities can lead to severe penalties. These frameworks not only target the cybercriminals but also hold organizations accountable if they act against federal sanctions when paying ransoms.

In the European Union, ransomware is treated under the Directive on Attacks Against Information Systems and the General Data Protection Regulation (GDPR). The directive ensures that gaining unauthorized access, damaging data, or interfering with systems—whether through ransomware or other malware—carries substantial criminal penalties. Meanwhile, GDPR adds a strong privacy dimension: if personal data is compromised in a ransomware attack, organizations must report it to data protection authorities within 72 hours, or face significant fines. This dual legal approach both punishes the attackers and enforces security diligence on data controllers and processors.

In countries like the United Kingdom, the Computer Misuse Act 1990 serves as the main legal instrument against ransomware, criminalizing unauthorized access, data modification, and system disruption. The UK’s National Crime Agency (NCA) also actively investigates ransomware gangs, often working with Europol and Interpol. Importantly, UK authorities discourage paying ransoms, as doing so may violate anti–money laundering laws if the funds reach sanctioned individuals or terrorist groups. This stance pushes organizations to focus on incident prevention, backup strategies, and law enforcement cooperation.

Beyond national laws, there is an increasing move toward international cooperation in combating ransomware. Agreements like the Budapest Convention on Cybercrime promote cross-border investigation and evidence sharing. Interpol and Europol’s joint operations have led to several high-profile takedowns of ransomware networks. These coordinated efforts are crucial, given that many ransomware groups operate transnationally. For organizations, understanding both domestic and international legal obligations is vital—not only to ensure compliance but also to strengthen their resilience against the growing ransomware threat.

What Is the Punishment for Ransomware?

The punishment for ransomware crimes depends on jurisdiction but is universally severe, often involving long prison sentences, heavy fines, and asset seizures. In the United States, offenders can face up to 20 years in federal prison per count under laws like the Computer Fraud and Abuse Act, with harsher penalties for attacks on critical infrastructure or links to sanctioned groups. In the EU, sentences typically range from 5 to 12 years, alongside potential GDPR fines of up to €20 million or 4% of global turnover if personal data is compromised. The UK’s Computer Misuse Act allows penalties from 2 years to life imprisonment for the most serious cases, especially those threatening national security. Many other countries, including Australia, Canada, and Singapore, impose similar or longer custodial terms, and growing international cooperation means perpetrators risk extradition and prosecution even if they operate abroad.

8 Reasons Why Ransomware Attacks on the Rise

Ransomware attacks are escalating at an alarming pace, driven by factors like the rise of remote work, growing use of cryptocurrency for anonymous payments, and the availability of ransomware-as-a-service on the dark web. Cybercriminals are becoming more organized, targeting high-value sectors, and exploiting security gaps faster than organizations can close them—making it crucial to understand why these attacks are surging and how to defend against them.

1. Ransomware-as-a-Service (RaaS) resurgence

Ex-Ransomware-as-a-Service (RaaS) groups are back in the game, and many have adapted their models to become more difficult for organizations to defend against. RaaS groups like Lockbit 3.0 have updated their ransomware packages, providing them to affiliates who launch attacks for a cut of the profits.

This decentralized business model means even small-time hackers can execute sophisticated attacks. For instance, Lockbit’s model helped it conduct ten times more attacks in July than in December. If attackers can use updated ransomware with a low technical barrier, it’s clear why the RaaS ecosystem has gained renewed momentum.

Related Link: Phishing Simulator – Explore how phishing simulators can strengthen defenses against RaaS-driven phishing attacks.

2. Increased reliance on leak sites and data monetization

Ransomware groups have refined their methods for monetizing stolen data. Leak sites have become crucial to their extortion methods, often creating more pressure for victims to pay. By threatening to publish sensitive information, attackers force companies to consider the reputational and financial repercussions of data leaks.

NCC Group’s data collection from these leak sites illustrates how integral these sites have become. If ransom is unpaid, the attackers release the data publicly, amplifying the risk of regulatory penalties for businesses and increasing payout rates. This tactic has quickly become a primary way for ransomware groups to turn breached data into profits.

Related Link: Keepnet Human Risk Management Platform – Learn how to monitor human risk factors that contribute to ransomware exposure.

3. Double and triple extortion tactics

A sharp rise in double and triple extortion tactics has made ransomware attacks more potent. In double extortion, attackers encrypt data and threaten to release it publicly. In triple extortion, attackers increase pressure by contacting clients or suppliers of the breached organization. This expanded extortion approach increases the likelihood of payouts, motivating ransomware groups to push for even greater intensity in their operations.

Related Link: Security Awareness Training – Empower your employees to recognize ransomware risks before an attack escalates.

4. Exploiting supply chain and third-party vulnerabilities

In the face of heightened security measures, ransomware groups have turned their focus to supply chain vulnerabilities. Attackers increasingly target third-party vendors or partners with weak security practices, which often serve as backdoor entry points to larger companies. This tactic has proven successful for groups like BlackBasta and Hiveleaks, both of which saw significant growth in July by leveraging these alternative entry points.

Related Link: 10 Essential Tips to Protect Yourself from Phishing Attacks – Understand critical techniques to prevent breaches in your network.

5. Advanced automation and AI in attacks

Incorporating AI and automation, ransomware groups are enhancing the precision and speed of attacks. With AI-driven scanning and automated vulnerability detection, ransomware groups can pinpoint the most vulnerable organizations quickly, enabling them to launch more attacks simultaneously.

This technology-driven approach has led to unprecedented growth for groups like Lockbit, which are now executing large-scale attacks that evade traditional security measures.

Related Link: What is Spear Phishing and How to Prevent It – Learn how AI is impacting spear phishing attacks and best practices for defense.

6. Law enforcement challenges and international factors

Many ransomware groups operate from countries with limited law enforcement collaboration, giving them freedom to operate with little interference. As ransomware groups have become highly organized and resourceful, they continue to evade capture, especially in jurisdictions with minimal regulation of cybercrime.

This lack of enforcement allows groups like Lockbit, Hiveleaks, and others to act boldly and remain active players in the ransomware landscape.

Related Link: Discovering Keepnet Labs Data Breaches Solutions – Explore Keepnet’s data breach solutions designed to mitigate ransomware risks.

7. Competition among cybercrime groups

Ransomware groups are not only targeting organizations—they’re competing with each other for dominance. Hiveleaks and BlackBasta, each with a 440% and 50% attack rate increase respectively, have ramped up operations in response to Lockbit’s aggressive tactics. As each group works to establish dominance, the outcome is a sharp increase in attack rates across the board.

This competitive dynamic further incentivizes groups to develop unique attack methods and escalate their efforts, putting organizations at heightened risk of ransomware attacks.

Related Link: Cybersecurity Awareness Training – See how comprehensive training can counteract even advanced tactics by ransomware groups.

How Does Ransomware Get on Your Computer

Ransomware typically infiltrates systems through phishing emails containing malicious attachments or links, infected software downloads, compromised websites, and unpatched security vulnerabilities. Cybercriminals may also use brute-force attacks to break into remote desktop protocol (RDP) accounts or exploit weak credentials. Once the malware gains access, it can spread across the network, encrypting files and disabling security tools, often before detection systems can respond.

Malware and Ransomware Attacks

Malware is a broad category of malicious software that includes ransomware, viruses, worms, trojans, and spyware. While all malware aims to damage, disrupt, or steal data, ransomware’s defining feature is its encryption of files and demand for payment. Attackers may use a combination of malware types to breach systems, exfiltrate data, and then deploy ransomware for maximum impact, making layered defenses essential.

Ransomware Virus Removal Tool

A ransomware virus removal tool is specialized software designed to detect and remove ransomware from infected systems. While some tools can decrypt files for certain ransomware variants, many cannot reverse encryption without the attacker’s key. Therefore, the most effective tools focus on isolating the threat, preventing further spread, and cleaning the system to enable safe recovery from backups.

What Is the Best Way to Avoid Ransomware Infections

The best way to avoid ransomware infections is to combine technical safeguards with user awareness. This includes maintaining updated security patches, using next-generation antivirus and endpoint detection solutions, enforcing strong passwords, disabling unnecessary remote access, and performing regular offline backups. Educating employees to recognize phishing attempts and suspicious activity is equally critical, as human error is often the initial entry point for ransomware.

How to Prevent Ransomware?

The recent surge in ransomware attacks signals the need for a multi-faceted defense strategy. Organizations can take several steps to protect themselves against the escalating threat:

• Implement multi-layered security protocols that cover both internal and third-party access points.
• Train employees regularly with security awareness training to detect phishing and ransomware attempts.
• Back up data frequently and test restore capabilities to mitigate damage in case of a successful attack.
• Invest in incident response planning to contain breaches before they escalate.

With robust cybersecurity practices in place, businesses can reduce their vulnerability and respond effectively to ransomware attacks.

Editor's Note: This blog was updated on August 15, 2024.