State of Ransomware 2025: Exfiltration Rates, Top Targets and What the Data Tells Us
BlackFog's State of Ransomware Report has tracked every publicly reported ransomware attack since 2020. Their 2024 annual findings confirmed what security teams feared: ransomware attacks reached all-time highs, with reported incidents up 48% year-over-year. Data exfiltration occurred in 93% of attacks — making data theft, not encryption, the defining characteristic of modern ransomware. Healthcare was the most targeted sector for the fourth consecutive year, followed by education and government.
Ransomware attacks up 48% year-over-year. Data exfiltration in 93% of incidents.
Attack Volume and Trends
BlackFog tracked a 48% increase in publicly reported ransomware attacks in 2024 compared to 2023. The true figure is significantly higher — research consistently suggests that only 1 in 10 ransomware incidents is publicly disclosed. The monthly cadence showed sustained elevated activity throughout 2024, with no seasonal lull. Law enforcement disruptions — including the FBI's takedown of LockBit infrastructure in February 2024 and ALPHV/BlackCat's exit scam in March 2024 — created temporary reductions that were quickly filled by emerging groups including RansomHub, Akira, and Play.
Data Exfiltration: The Dominant Attack Model
The 93% exfiltration rate represents the most significant shift in ransomware strategy. In 2020, fewer than 40% of ransomware attacks included data exfiltration. The progression — 40% in 2020, 57% in 2021, 70% in 2022, 86% in 2023, 93% in 2024 — demonstrates a near-complete industry pivot from encryption-only to exfiltration-first operations. Several prominent groups including BianLian and Karakurt have abandoned encryption entirely, operating as pure data extortion outfits. The message is unambiguous: if your ransomware defence strategy is built around backups and recovery, you are defending against a model that no longer represents the primary threat.
Most Targeted Sectors
Healthcare remains the most heavily targeted sector, accounting for 24% of all ransomware incidents. Education follows at 18%, with government at 15%. The concentration in these sectors reflects attacker economics — they hold sensitive data that creates maximum extortion pressure, they are often under-resourced in cybersecurity, and they face intense regulatory and public scrutiny that increases willingness to pay:
- Healthcare (24%): patient records, medical histories, and insurance data create life-safety pressure — the Ascension Health attack in May 2024 forced ambulance diversions
- Education (18%): student data, research intellectual property, and minimal security budgets — the University of Manchester breach exposed data on 1.1 million NHS patients held for research
- Government (15%): citizen data, critical infrastructure access, and political pressure to restore services — the City of Dallas was crippled for weeks in 2023
- Manufacturing (12%): operational technology disruption and supply chain leverage — attacks on manufacturers increased 56% year-over-year
- Financial services (10%): direct financial data and regulatory pressure — though better-resourced defences keep the percentage lower
- Technology (8%): source code, customer data, and supply chain access — tech companies are both targets and vectors
The Ransomware-as-a-Service Ecosystem
The ransomware landscape is dominated by the Ransomware-as-a-Service (RaaS) model, where core groups develop the malware and infrastructure while affiliates carry out attacks in exchange for a revenue share — typically 70-80% of ransom payments. LockBit dominated through early 2024 before law enforcement disruption. RansomHub rapidly emerged to fill the vacuum, attracting former LockBit and ALPHV affiliates with an 90/10 split favouring affiliates. This franchise model means that disrupting any single group is insufficient — affiliates simply migrate to the next platform. The barrier to entry for conducting sophisticated ransomware attacks has never been lower.
What This Means for Your Defence Strategy
The data from BlackFog's report leads to clear strategic conclusions for security leaders. Backup-centric ransomware strategies are necessary but insufficient — they address only the 7% of attacks that rely solely on encryption. Exfiltration prevention must be a primary control, not an afterthought. Detection-based approaches face a timing problem — by the time ransomware is detected, exfiltration has typically already occurred. Prevention at the device level, before data leaves the endpoint, is the only reliable way to neutralise the exfiltration threat that defines 93% of modern ransomware attacks.
Frequently Asked Questions
How many ransomware attacks happen per year?
BlackFog tracked over 1,200 publicly reported attacks in 2024, a 48% increase year-over-year. However, the actual number is estimated to be 10-15x higher as most incidents go unreported. Chainalysis tracked $1.1 billion in ransomware payments in 2023 alone.
What percentage of ransomware attacks involve data exfiltration?
93% of ransomware attacks in 2024 included data exfiltration, according to BlackFog's State of Ransomware Report. This has increased steadily from approximately 40% in 2020, reflecting the shift from encryption-only to double and triple extortion models.
Which industries are most targeted by ransomware?
Healthcare leads at 24% of all attacks, followed by education (18%), government (15%), manufacturing (12%), and financial services (10%). Healthcare has been the most targeted sector for four consecutive years.
What is the average ransomware payment in 2025?
The average ransomware payment in 2024 exceeded $800,000, with median payments around $250,000. However, major incidents like Change Healthcare ($22M) and Caesars Entertainment ($15M) demonstrate that enterprise targets face demands in the tens of millions.
Does paying ransomware actually get your data back?
According to Sophos research, only 65% of organisations that paid received a working decryption key. Even when decryption works, recovery is often incomplete — on average only 65% of data is recovered. Payment does not guarantee that exfiltrated data will be deleted, as demonstrated by the Change Healthcare incident where data was re-extorted by a second group.
What happened to LockBit ransomware?
The FBI, NCA, and Europol disrupted LockBit's infrastructure in February 2024 through Operation Cronos, seizing servers and obtaining decryption keys. The group attempted to resume operations but lost credibility with affiliates. Former LockBit affiliates migrated primarily to RansomHub and Akira.
Is ransomware getting worse in 2025?
Yes. Attack volumes continue to increase, exfiltration rates have reached 93%, AI-powered tools are lowering the barrier to entry for attackers, and the RaaS ecosystem ensures that disrupting individual groups does not reduce overall attack volume. BlackFog projects continued escalation through 2025.
Protect your organisation from the ransomware epidemic
Kyanite Blue is an authorised BlackFog partner. We deploy, manage, and support ADX for organisations across every sector.
Get in touchReady to stop data exfiltration?
Start with a free 30-day BlackFog assessment — 25 devices, no obligation.