813 million US dollars in ransomware payments in 2024, a 35% decline from the record year 2023 — that sounds like things are easing up. They are not. Willingness to pay is decreasing, but the number of attacks continues to rise. And the extortionists’ methods have fundamentally changed: encryption alone is no longer enough for attackers.
Double extortion as the new standard
The classic ransomware attack — encrypt data, demand ransom — is history. Today, virtually all significant groups operate with so-called double extortion: before encryption, all accessible data is exfiltrated. If the victim does not pay, the attackers threaten to publish the data on darknet leak sites. Europol’s IOCTA 2025 confirms: data theft has become an integral part of nearly every ransomware operation.
The attackers’ calculus is simple: even those with functioning backups who survive the encryption face a reputational and data protection problem if customer data, contracts or personnel files end up online. In sensitive sectors such as healthcare or financial services, this leverage is particularly effective.
Ransomware-as-a-Service: the franchise model of cybercrime
Ransomware is a business model. The most successful groups operate Ransomware-as-a-Service (RaaS): developers provide the malware, infrastructure and negotiation platforms. Affiliates — the actual attackers — carry out the attacks and pay 20-30% of the ransoms to the operators. Entry requires neither deep technical knowledge nor proprietary infrastructure. Initial Access Brokers sell stolen credentials on marketplaces as a ticket into corporate networks.
This division of labour explains why attack numbers do not decline despite individual law enforcement successes. When one group is dismantled, affiliates simply move to the next platform.
The actors: disruption and rebirth
2024 was marked by upheaval in the ransomware landscape. LockBit, for years the most active group, was severely disrupted in February 2024 by a coordinated operation led by the NCA and FBI. Payments to LockBit dropped 79% in the second half of 2024. Yet the infrastructure has been partially rebuilt — LockBit is weakened but not eliminated.
BlackCat/ALPHV disappeared at the end of 2023 after a suspected exit scam: the operators pocketed a 22-million-dollar ransom and vanished — at the expense of their own affiliates. RansomHub stepped into the resulting vacuum, rising to become the most active group in 2024 with over 530 documented attacks. Since mid-2025, RansomHub has also shown operational problems, illustrating the volatility of this scene.
Swiss SMEs in the crosshairs
The Federal Office for Cybersecurity (FOCS) recorded a total of 57 ransomware reports in the first half of 2025 — 13 more than in the same period of the previous year. The number of unreported cases is likely significantly higher, as many companies do not report incidents. FOCS observes a clear increase in targeted attacks on Swiss SMEs, particularly via phishing and social engineering as initial access vectors.
Since April 2025, the reporting obligation under the Information Security Act (ISA) applies to operators of critical infrastructure. Since October 2025, violations can result in fines of up to CHF 100,000. Ransomware attacks explicitly fall under the reportable incidents. Those who are attacked and fail to report face not only operational disruption but also a regulatory problem.
The real costs of an attack
The Sophos State of Ransomware Report 2025 puts the average recovery costs — excluding ransom payments — at 1.53 million US dollars. For smaller organisations with 100-250 employees, the costs average 638,536 US dollars. On a positive note: 53% of affected organisations were able to restore operations within a week, compared with 35% the previous year.
Less easily quantifiable but often more severe: reputational damage, lost customer relationships and the strain on staff during and after an incident. For SMEs without a dedicated security team, a ransomware attack can be an existential threat.
Defence: what actually works
There is no single solution against ransomware. Effective protection consists of multiple layers:
Backup strategy following the 3-2-1 principle
Three copies of the data, on two different media types, one of them offline or off-site. Crucially: test recovery regularly. A backup that does not work in an emergency is worthless. And: backups must be protected from encryption — attackers specifically target accessible backup systems.
Network segmentation
A flat network is a gift to any attacker. Segmentation via VLANs and firewall rules limits lateral movement after an initial breach. Production systems, office IT and backup infrastructure belong in separate segments.
Endpoint Detection and Response (EDR)
Traditional antivirus is insufficient against modern ransomware. EDR solutions detect suspicious behaviour — such as mass file encryption or unusual process activity — and can automatically isolate endpoints before the malware spreads.
Incident response plan
Those who first need to consider what to do in an emergency lose critical hours. A documented plan with clear responsibilities, escalation paths and communication templates — both internal and external — significantly reduces response time. Regular tabletop exercises ensure the plan does not only work on paper.
Staff training
Phishing remains the most common initial access vector. Technical measures alone are insufficient if a single click on a crafted link undermines the entire defence. Regular, practical training — not just an annual slide deck — measurably reduces the risk.
How Zerberos can help
Ransomware protection starts with transparency about your own attack surface. Our services address precisely this:
- Penetration testing — Identification of the vulnerabilities that ransomware groups exploit as entry points
- Risk Assessment — Evaluation of your ransomware resilience across technology, processes and organisation
- Security Roadmap — Prioritised action plan, tailored to your risk profile and budget
Contact us for a no-obligation initial consultation.
Sources and further reading
- Chainalysis: Crypto Crime Ransomware Report 2025
- Sophos: The State of Ransomware 2025
- Europol IOCTA 2025: Steal, Deal and Repeat
- FOCS: Cybersecurity for SMEs — Awareness 2025
- FOCS: Reporting obligation for cyberattacks
- NIST SP 800-207: Zero Trust Architecture
- FBI Internet Crime Complaint Center (IC3)