You may also remember seeing an unremovable message from the “Police of the Slovak Republic” on your computer screen back in 2013. It urged you to pay a fine for your repeated “violation of legislation.” While a few years ago such types of ransomware spread like an avalanche, today they are rather rare. What is trending are surgically precise attacks, where attackers track their targets, study their infrastructure, use tools to steal credentials, and are far more dangerous for smaller business entities.
Small and medium-sized enterprises in 2025 have undoubtedly found themselves on the front line of ransomware attacks. Estimates vary from one statistic to another, mainly because private companies are reluctant to disclose breaches, but even more conservative figures suggest that more than 90 % of attacks are directed at SMEs. For attackers, they are “low-hanging fruit” because they often lack sufficient security and respond more slowly than large corporations. Their investments in cybersecurity are significantly lower, which means that any unpatched system or inattentive employee can become an entry point.
In many cases, an attack paralyzes the entire operation of a company. More than half of affected businesses experience downtime exceeding ten days, leading to both financial and reputational damage. When operations are finally restored, the damage is only beginning: from missed contracts to disappointed clients. Many companies still do not have a plan for handling such situations. Without a clear strategy and backups, every attack can turn into a fight for survival.
The ransomware landscape is changing, but the attacks remain
After the “golden era” of ransomware during and after the COVID-19 pandemic, the growth of this favored cybercriminal practice has slowed, and in some categories, such as the volume of paid ransoms, even declined year-on-year. To a large extent, hackers themselves are to blame, as they escalated their activities so aggressively that they quickly drew the attention of government agencies worldwide.
In 2024, coordinated international operations targeted some of the most well-known ransomware groups, disrupting their structures and reshaping the balance of power in the cybercriminal ecosystem. The ransomware landscape suddenly became more fragmented and less predictable. Instead of a few strong, centralized organizations, today’s attacks are carried out by groups using multiple ransomware variants simultaneously to reduce risk.
Government institutions were finally able to breathe a bit easier in 2024, with recorded attacks dropping by 51%. They are also increasingly less likely to pay ransoms, making them less attractive targets for attackers. According to some sources overall ransom payments also declined by approximately 35% year-on-year in 2024 (from $1.25 billion to nearly $814 million), mainly due to the efforts of international agencies combating cybercrime.
Despite this decline, however, the total number of ransomware incidents increased by 46%year-on-year by early 2025, indicating more frequent attacks but with evolving tactics. Less than half of ransomware attacks in 2025 involve data encryption, which is the traditional hallmark of ransomware. This may suggest that attackers already count on victims’ fear of having stolen data publicly exposed. There are cases where an attacker demands a $2 million ransom, knowing that regulatory penalties for data breaches would be significantly higher.
Next-gen ransomware: silent, precise, and fast
Today’s attackers are sophisticated, far better organized, and incredibly fast. The average time between initial network breach and full ransomware deployment has dropped to 48 minutes. In some cases, it takes an astonishing 51 seconds. Instead of brute-force intrusions, attackers often simply use compromised employee accounts, log in as legitimate users, and move quietly through the network. As many as 96% of ransomware attacks also target backup systems to prevent data recovery. Even “properly” configured backups may no longer guarantee safety if they are not isolated or kept offline.
Over the past decade, ransomware has effectively become a business model. As we highlighted in our recent blogabout the now-defunct Conti group, attackers are not anonymous “hoodie-wearing” individuals. They are sophisticated and well-organized groups with clearly defined management structures and roles. They follow established procedures and commonly use Ransomware-as-a-Service (RaaS), where “developers” provide attack tools to other criminals in exchange for a share of the ransom. Estimates from the first half of 2025 suggest there are 96 active ransomware groups—almost 40% more than the previous year.
Welcome to the era of AI-driven attacks
Only recently, hackers used the AI tool Claude at scale for a complex ransomware campaign. They managed to automate credential and data theft, write extortion emails, and even negotiate ransoms worth hundreds of thousands of dollars using AI. Nearly 20 organizations were reportedly affected, ranging from public entities to religious institutions. So far, this is only a small, but all the more alarming, glimpse of what lies ahead.
Just as defenders use AI today, attackers are already leveraging it as well. AI can generate highly personalized phishing messages, mimic internal communication styles, or rapidly test which vulnerabilities are still exploitable. It is thus becoming a significant catalyst for both the volume and sophistication of ransomware threats.
We monitor the hackers – so you don’t have to
We closely monitor the inner workings of various hacker groups. We are connected to multiple sources, including intelligence databases and analytical networks, and we also track channels that help expose cybercriminals. We know which leaked credentials are “circulating” online and can alert you if they involve access to your company’s systems.
Binary Confidence is the very first company in Slovakia to provide Security Operations Center (SOC) services, and we have spent years focusing on active protection. We offer a comprehensive portfolio of services that can significantly strengthen your organization’s cyber resilience:
Securea – An advanced tool for managing cyber risks and ensuring compliance with security regulations. It enables efficient management of security processes, risk assessment, and optimization of investments in the protection of sensitive data.
Protegamus – A simulation platform for training in cyber incidents that allows IT teams and staff to practice responses to real-life cyberattacks. Interactive exercises help quickly and effectively improve the resilience of any organization that uses them.
If you suspect that you have become a target of an attack, or if you want to proactively strengthen your cybersecurity posture – get in touch with us. We know who we are dealing with. And we know how to defend against them.
The project funded through grant agreement number 101145856 is supported by the European Cybersecurity Competence Centre.
