Ransomware Every 19 Seconds: The State of the Global Ransomware Crisis

By Q3 2025, a ransomware attack was occurring somewhere in the world approximately every 19 seconds. Not every 19 minutes. Every 19 seconds. Over the course of 2025, security researchers confirmed 4,701 ransomware incidents between January and September alone — a number that excludes the large majority of attacks that victims never publicly disclose. The real total is estimated at several times that figure.

The economic damage is staggering. Cybersecurity Ventures projected total cybercrime costs at $10.5 trillion globally for 2025. Ransomware represents the fastest-growing component — with average ransom payments reaching $1.5 million per incident, recovery costs often exceeding the ransom itself, and reputational and operational consequences that persist for years.

What was once a crime committed by small groups of opportunistic criminals has evolved into a mature, professionalized, geopolitically entangled industry — complete with specialized roles, customer service teams, affiliate networks, and negotiation experts.

The Evolution of Ransomware: From Encryption to Extortion

Ransomware began as a relatively simple proposition: encrypt a victim’s files, demand payment for the decryption key. Early ransomware in the 2010s targeted individuals and small businesses, demanding hundreds or thousands of dollars.

The first fundamental evolution was the targeting shift to enterprises, hospitals, and government agencies — victims with both the ability to pay larger ransoms and the operational pressure to pay quickly. The 2017 WannaCry and NotPetya attacks demonstrated that enterprise infrastructure could be crippled by ransomware at global scale.

The second fundamental evolution was Ransomware-as-a-Service (RaaS) — the development of criminal franchise models where ransomware developers (providing the malware and infrastructure) partner with affiliates (who conduct the actual intrusions) on a revenue-sharing basis. This model dramatically lowered the barrier to ransomware crime: an affiliate doesn’t need to write code, just acquire access and deploy the payload. The developers earn 20–30% of every ransom paid through their platform.

The third fundamental evolution — and the dominant current model — is the shift from encryption-only ransomware to double and triple extortion:

• Double extortion: Attackers steal data before encrypting it. They demand payment both to provide the decryption key and to not publish the stolen data. This works even when victims have backups — because the threat of data publication creates pressure to pay regardless.
• Triple extortion: A third pressure lever — DDoS attacks on the victim’s public-facing infrastructure, or contact with the victim’s customers and partners threatening to reveal their data — is added to maximize payment pressure.

The result is that over 70% of late 2025 ransomware attacks involved data theft as the primary leverage mechanism, with encryption increasingly becoming secondary to data extortion.

The Biggest Incidents of 2025

Change Healthcare (ALPHV/BlackCat): The most consequential ransomware attack in US history. Change Healthcare processes approximately 15 billion healthcare transactions annually — pharmacy claims, insurance eligibility checks, clinical workflows for hospitals and clinics across the United States. The ALPHV/BlackCat ransomware attack in early 2024 triggered prolonged outages that disrupted pharmacy operations, delayed patient care, and caused an estimated $872 million in direct losses to UnitedHealth Group (which owns Change Healthcare) in Q1 2024 alone. The total economic impact, including effects on healthcare providers nationwide, ran into the billions.

SK Telecom (South Korea): In 2025, South Korea’s largest telecommunications company suffered a breach that exposed approximately 26.96 million IMSI (subscriber identity) records and related USIM data — roughly 9.82 gigabytes of data affecting approximately half of South Korea’s population. The breach highlighted the devastating scale of telecom data exposure.

UK National Health Service: NHS England suffered a ransomware attack attributed to the Qilin group in 2024 that disrupted blood transfusion services and resulted in the postponement of thousands of operations across London hospitals. The attack exposed patient data and created operational disruptions that persisted for weeks.

Asahi (Japan): Ransomware attack that exposed the personal information of approximately 1.914 million individuals including 1.525 million customers, with operational disruptions expected to last into 2026.

The RaaS Ecosystem: Organized Crime at Scale

Understanding why ransomware is so difficult to stop requires understanding its organizational structure — which is far more sophisticated than the popular image of lone hackers suggests.

Core developers: A small number of technically sophisticated groups develop and maintain ransomware platforms — maintaining encryption engines, negotiation portals, leak sites, and affiliate management infrastructure. Major groups in 2025 included LockBit, ALPHV/BlackCat (disrupted but operating successors), Clop, RansomHub, and Akira.

Affiliates: Independent criminal operators who conduct intrusions, deploy ransomware, and negotiate with victims — earning 70–80% of ransom proceeds. Affiliates often operate multiple groups simultaneously and switch platforms based on available tools and law enforcement disruption of specific groups.

Initial Access Brokers (IABs): Specialists who obtain initial access to corporate networks (through phishing, vulnerability exploitation, or credential purchase) and sell that access to ransomware affiliates. IABs have created a market that separates the work of gaining access from the work of monetizing it.

Negotiation specialists: Professional negotiators who manage communications with victims, assess ability to pay, and optimize ransom amounts. Some operate as legitimate (if ethically questionable) ransomware negotiation consultants on the victim side; others work directly for ransomware groups.

Money laundering infrastructure: Converting cryptocurrency ransom payments into usable fiat currency requires significant money laundering infrastructure — mixing services, cryptocurrency exchanges with inadequate KYC, and increasingly sophisticated financial crime operations.

Law Enforcement Responses: Playing Whack-a-Mole

International law enforcement has made significant progress against ransomware groups — and those groups have demonstrated remarkable resilience.

LockBit takedown (2024): In February 2024, Operation Cronos — a joint law enforcement operation involving agencies from 10 countries — seized LockBit’s infrastructure, arrested members, and published decryption tools. Within two weeks, LockBit had relaunched with new infrastructure. A year later, LockBit remained operational, though with reduced capacity.

ALPHV/BlackCat disruption: The FBI disrupted ALPHV/BlackCat operations and released decryption keys for hundreds of victims. ALPHV subsequently executed an “exit scam” — pretending to be shut down while its principals presumably absconded with affiliate funds — before the ransomware code emerged in modified form under new group names.

Clop and MOVEit: The Clop group’s exploitation of a vulnerability in the MOVEit file transfer software affected hundreds of organizations worldwide. While law enforcement arrested Clop affiliates in Ukraine, the core group — believed to operate from Russia — remained at large and operational.

The pattern is consistent: law enforcement operations disrupt individual groups but the underlying ecosystem (RaaS infrastructure, affiliate networks, money laundering systems) regenerates rapidly. As long as ransomware remains extraordinarily profitable and primary actors operate from jurisdictions with limited law enforcement cooperation, full suppression is unlikely.

AI-Powered Ransomware: The Coming Wave

The intersection of AI and ransomware is creating new attack capabilities that security teams are only beginning to understand.

AI-generated phishing: CrowdStrike’s 2025 ransomware report found that 87% of security professionals believed AI makes phishing lures more convincing. AI can generate highly personalized spear-phishing emails — tailored to individual targets using information scraped from LinkedIn, corporate websites, and social media — at scale and speed that human attackers cannot match. The “Nigerian prince” era of obviously fake phishing is over; AI-generated phishing can be indistinguishable from legitimate communications.

AI-accelerated vulnerability discovery: AI tools can analyze code and network configurations to identify exploitable vulnerabilities faster than human researchers. The same AI capabilities available to defensive security researchers are available to criminal groups.

Deepfake social engineering: Voice deepfakes have been used to impersonate executives in vishing (voice phishing) attacks, including a documented case in 2024 where a finance employee wired $25 million based on a video call featuring what appeared to be the company’s CFO — a deepfake. Ransomware groups are beginning to incorporate these techniques into their initial access operations.

AI-optimized ransom negotiation: AI systems can analyze victim characteristics — financial data, insurance coverage, operational criticality of encrypted systems — to optimize initial ransom demands and negotiation strategies.

Experian’s 2026 cybersecurity threat report identifies AI as the major emerging factor reshaping the cyber threat landscape — increasing attack volume, sophistication, and the speed at which new techniques can be deployed at scale.

Healthcare: The Most Targeted, Most Vulnerable Sector

Healthcare has emerged as the sector most severely impacted by ransomware — for reasons that go beyond the obvious observation that healthcare data is valuable.

Operational criticality: Hospitals cannot afford downtime. Unlike a retail company that might accept days of IT disruption, a hospital whose patient monitoring systems, medication administration systems, or surgical scheduling are encrypted faces immediate risk to human life. This operational pressure creates strong incentives to pay ransoms quickly and without negotiation.

Underfunded cybersecurity: Healthcare organizations have historically underinvested in cybersecurity relative to other industries. Profit margins are thin, regulatory requirements have historically been less prescriptive about security controls than in financial services, and the technology environments are complex (mixing clinical systems from dozens of vendors, many running outdated software).

Legacy medical devices: Medical devices — infusion pumps, imaging equipment, patient monitors — often run outdated operating systems that cannot be patched without manufacturer validation, creating persistent unpatched vulnerabilities across healthcare networks.

Rich data target: Electronic health records contain Social Security numbers, insurance information, financial data, and extraordinarily sensitive personal information — making healthcare data among the most valuable on criminal markets.

The consequences of healthcare ransomware extend beyond the attacked organization. Studies published in 2023 and 2024 found statistically significant increases in in-hospital mortality rates in hospitals adjacent to a ransomware victim — because attack victims divert patients to neighboring hospitals, overwhelming their capacity and degrading care quality.

What Organizations Must Do

Against this threat landscape, effective defense requires a multi-layered approach:

Immutable backups: The fundamental defense against ransomware is backups that cannot be encrypted by the ransomware. Backups must be isolated from the main network (offline or in a separate cloud tenant) and tested for restoration regularly. Organizations that can restore from backup in hours have dramatically more negotiating leverage than those who cannot restore at all.

Privileged access management: Ransomware moves laterally using administrative credentials. Strict privileged access management — minimizing the number of accounts with domain administrator privileges, requiring MFA for administrative access, and time-limiting privileged sessions — significantly constrains ransomware’s ability to spread.

Network segmentation: Isolating critical systems in separate network segments limits ransomware’s ability to encrypt everything. A ransomware attack contained to one network segment is a serious incident; one that encrypts everything is a catastrophe.

Endpoint detection and response (EDR): Modern EDR tools detect ransomware behavior patterns (rapid file encryption, shadow copy deletion, network scanning) before the attack completes — enabling interruption before full-scale damage.

Incident response planning and practice: Organizations that have documented, tested incident response plans recover faster and with less damage than those improvising under attack pressure. Tabletop exercises that simulate ransomware scenarios are the most valuable preparation investment.

Conclusion

The global ransomware crisis is not a technology problem with a technology solution — it is a complex socioeconomic problem requiring coordination across law enforcement, governments, the security industry, and individual organizations. The technology tools for defense are available and effective; the challenge is deployment, governance, and sustained investment.

Every 19 seconds, another organization somewhere in the world is learning this lesson the hard way. The question for every organization reading this article is whether they will learn it from their own incident — or from someone else’s.