Risk follows a simple formula: impact + likelihood = risk. There are plenty of risks to consider today, but many that get attention are more about hype than immediate danger. While it’s important to plan for future threats, the ones right in front of us should come first.
For example, quantum computing is often discussed as a major risk. But when I apply that formula, I get massive impact + low likelihood (for now) = low risk.
That said, we can start preparing to be ready by thinking about the data we hold today that will still be sensitive in five to ten years’ time and move to protect it with quantum-safe algorithms now.
But, while concerns exist about quantum technology disrupting cyber security, it’s still a long way off. For now, it belongs lower down the priority list—but ask me again in a decade.
Now, let’s run the same formula for ransomware: ransomware = big impact + already wreaking havoc = massive risk. Unlike quantum computing, this isn’t a “maybe one day” problem – it’s happening now, shutting down businesses, hospitals, and public services. By 2025, global ransomware costs are projected to reach $57 billion annually, rising to an estimated $275 billion by 2031.
The maths is simple: deal with today’s threats first, and this may well include data with an extremely long tail of sensitivity and therefore needs encrypting now, particularly those in government or financial services. Then think about tomorrow.
Enough with the formulas – what’s the current state of play in ransomware, and how can businesses keep up with changes in the cyber security landscape?
The state of ransomware today
First, some overarching advice: effective ransomware protection starts with recognising that it’s not just an IT problem – it’s a business-wide risk. Ransomware is evolving far more rapidly than many might expect, so staying ahead of the threat is critical. Before exploring ways to strengthen protection, it’s worth taking a closer look at the current landscape.
Cybercriminals have stepped up their game in 2025. According to Cyfirma, ransomware attacks surged 82% year on year, with 510 victims in January alone. The US remains the top target, with 259 attacks, followed by Canada (29) and the UK (25). Some industries are being hit hardest: IT breaches are up 60%, healthcare 31%, education a staggering 93%, and transportation 69%.
These sectors are prime targets due to their critical data and expanding digital infrastructure. In fact, cybercriminals are increasingly focused on organisations that manage large volumes of sensitive data—from financial information to intellectual property to industry-specific data. These data-rich companies present more vectors for exploitation.
What are the emerging risks?
The ransomware landscape in 2025 feels like a high-stakes arms race, where attackers are outpacing security defences due to the proliferation of new technology and techniques. Hackers are weaponising AI, exploiting systemic vulnerabilities, evading common security tools, and targeting critical infrastructure with growing precision. This is the year hacking teams went professional.
And professional is the right word. Hacking groups are offering Ransomware-as-a-Service (RaaS) – a cybercrime business model where developers create and distribute ransomware tools to affiliates, enabling even non-technical criminals to launch attacks. These groups now have affiliate programmes, 24/7 customer support, and profit-sharing models.
Another alarming trend is the increasing collaboration between hacking groups or collaborations between gangs and nation states. In December 2024, the HellCat and Morpheus groups carried out a joint ransomware operation, deploying identical payload code, suggesting they were using a shared builder application.
What about AI? It now streamlines the entire ransomware attack lifecycle – from algorithms scraping social media to identify high-value targets, to autonomous bots scanning thousands of systems per hour for weaknesses. Ransomware groups like Akira are even using tools that auto-negotiate ransom demands based on a target’s financial data.
With phishing-based ransomware, Large Language Models (LLMs) are making it hyper-targeted. LLMs can mimic writing styles, auto-translate phishing lures into 50+ languages with localised slang, and even produce deepfake voice clones that can deceive people with astonishing success rates—83% success rate in 2024 BEC attacks.
There’s also been a rise in credential reuse (24%, according to Mandiant M-Trends 2024), where attackers recycle the same username/password across multiple accounts, and vulnerability exploits (38%), unpatched weaknesses in software/hardware – these are the top entry points for ransomware.
Preparing for the next-gen ransomware
As leading hacking groups begin to operate like mid-sized firms—complete with defined services, specialist roles, talent pipelines, R&D, and even marketing – businesses must start treating the ransomware threat with the same level of professionalism. Thankfully, combating modern ransomware is largely about getting the fundamentals right.
One of these fundamentals is the ‘clean room’ environment. You may be familiar with the term from manufacturing, particularly semiconductor facilities, where workers wear white suits and high-powered HVAC systems filter the air to avoid contamination. Similarly, in the cyber security world, clean rooms are controlled virtual environments where security teams can investigate an attack without the risk of reinfecting systems, allowing them to create a clear recovery plan.
Another useful concept is the ransomware ‘digital jump bag.’ These prepackaged toolkits contain essential resources specifically for responding to a ransomware incident that can so often be out of action due to an attack. The term is borrowed from WWII parachutists, who carried supplies when dropped behind enemy lines. A ransomware jump bag typically includes key contact numbers; copies of incident response workflows; contracts with retained incident response firms; your cyber insurance policy; notification templates for the press, regulators and impacted data subjects; and the tools, configurations and licence keys needed to restore a trusted response environment.
But it’s not just about having the right tools in place – it’s also about having the right processes and skills within the team to respond effectively. Continuing with the Jump Bag analogy, teams need to train regularly, run attack simulations, and keep things simple and efficient.
Soon, AI security platforms will be able to orchestrate parts of the ransomware response, helping to minimise human error and provide insights on where efforts should be focused.
Ultimately, though, cybersecurity is about setting priorities. And to circle back to the equation from earlier: tackle today’s threats to better prepare for tomorrow’s.
