Fewer organisations are falling victim to ransomware attacks after strengthening their cyber resilience, though many still fail to recover most of their data, according to a new study by cloud data security firm Veeam.
The study of 1,300 organisations around the world showed that they are making steady progress against the everpresent scourge of ransomware, with the proportion those affected dropping from 75 per cent to 69 per cent this year.
This decrease, says the report released last week, is due to improved preparation and resilience practices, as well as increased collaboration between IT and security teams.
However, the threat remains significant, with ransomware attacks increasing in sophistication and becoming more pervasive. As ransomware attacks from existing groups and “lone wolf” actors continue to grow, firms must have proactive cyber resilience strategies to mitigate risks and recover more swiftly and effectively from incidents, Veeam cautions.
Organisations may be improving their defenses against cyber attacks, said Anand Eswaran, Veeam chief executive officer. However, seven out of 10 still experienced an attack in the past year. And of those attacked, only 10 per cent recovered more than 90 per cent of their data, while 57 per cent recovered less than 50 per cent.
“Our latest findings clearly indicate that the threat of ransomware will continue to challenge organisations throughout 2025 and beyond,” said Eswaran.
The study also unveiled trends that point to key shifts in attacker behaviour, greater law enforcement pressure, and the emergence of new threats.
The coordinated global law enforcement actions in 2024 have significantly disrupted major ransomware syndicates, including LockBit and BlackCat.
However, these crackdowns have led to a surge in smaller, more agile threat actors and independent attackers. Security experts warn that while high-profile takedowns are impactful, the ransomware ecosystem is fragmenting, requiring sustained vigilance.
The improved communication between IT operations, security teams, law enforcement and industry partners has also proven critical in heightening the defence against ransomware.
A worrying trend is the rise of exfiltration-only attacks, where cybercriminals infiltrate an organisation’s network to steal sensitive data—such as financial records, intellectual property, or personal information—without encrypting or locking data. These attacks, often executed within hours of exploiting vulnerabilities, target organisations with weak cybersecurity controls.
A positive development is that the number of ransomware payments have declined. Some 36 per cent of affected organisations refused to pay at all. Among those that paid, 82 per cent negotiated lower ransoms, and 60 per cent paid less than half the initial demand.
The new regulations and legal frameworks have helped to discourage organisations from making ransomware payments, such as the International Counter Ransomware Initiative, which encourages companies to instead strengthen their defences.
In terms of recovery after an attack, the Veeam report found that organisations that prioritise data resilience recover up to seven times faster with significantly less data loss.
The key factors of success recovery after an attack include having robust backup and recovery strategies, proactive security measures, and effective incident response plans. Organisations are encouraged to adopt the 3-2-1-1-0 data resilience rule, to ensure that backups are immutable, malware-free before restoration.
The study found a significant gap between perceived and actual preparedness. Some 69 per cent believed they were prepared before an attack, but their confidence dipped by 20 per cent after that, pointing to planning gaps.
While 98 per cent of organisations surveyed had a ransomware playbook, fewer than half included technical elements like backup verification and frequency (44 per cent) or a clear chain of command (30 per cent).
Chief information officers reported a 30 per cent drop in preparedness post-attack, compared to 15 per cent for chief information security officers, suggesting security leaders have a more realistic view of risks.
Organisations are urged to align cyber resilience and preparation within the organisation, and have regular training and exercises to enable a coordinated response during and post-attack.
