By Dr. Matthew Loux and Bryce Loux | 09/04/2025
In May 2021, the Colonial Pipeline was the victim of a ransomware attack. This high-profile event forced the shutdown of fuel supplies in the southeastern U.S.
It also sparked widespread panic buying, created long lines at gas stations, and revealed issues regarding national security. The Colonial Pipeline attack also brought to light the growing concern of cyber extortion, which has become more frequent and sophisticated over time.
Ransomware is a form of malicious software that blocks or restricts access to a computer system or data until a ransom is paid. It is a form of cyber extortion, where the attackers wait until they are reimbursed with Bitcoin or other cryptocurrency.
Ransomware attacks are a fast-growing and disruptive forms of cybercrime. These attacks threaten both organizations and individual victims by compromising sensitive data.
Understanding Ransomware and Cyber Extortion Attacks
Ransomware works by encrypting an organization’s files, making them inaccessible. To regain access, the victim must pay the ransom to receive a decryption key.
Initially, ransomware attacks focused on individual victims to block their ability to regain control of their devices. Now, cybercriminals have shifted to targeting organizations with large amounts of proprietary or confidential data that needs to be protected.
There are also double extortion ransomware attacks, where attackers encrypt files and also steal the victim’s data, threatening to publish it if the ransom is not paid. Some attackers focus exclusively on blackmail and data exfiltration (theft of a victim's data) without any encryption.
Cyber extortion incidents have become a lot easier because of the emergence of Ransomware-as-a-Service or RaaS. Today, cybercriminal developers create the kits and lease them out to people, enabling even attackers with limited skills to launch an attack. The professionalization of ransomware has led to an unimaginable rise in attacks around the world.
The Broad Scope of Threats
Brandefense, a cybersecurity company, has tracked 38 active ransomware groups in 62 countries across 22 industries. According to Brandefense, manufacturing (20.5%), business services (12%), and construction (10.2%) were the most targeted sectors.
Brandefense also notes that there were significant increases in attacks within healthcare, retail, and education. This expansion illustrates a shift in attackers’ focus; instead of solely high-profile corporations, smaller businesses and critical infrastructure systems are being exploited by attackers.
The Financial Effects of Cyber Extortion
The financial consequences of ransomware attacks continue to climb. Attackers demand increasingly higher sums to remove their file encryption, and the average ransom payment is now $5.13 million according to PurpleSec.
Alongside an attack, there is immense reputational damage as well after a data breach. Ransomware threats cripple business operations, and during these downtimes, businesses are under a lot of pressure to gain access and get back to work.
Attackers are more frequently engaging in double extortion ransomware attacks, committing data exfiltration and threatening to leak the victim’s files unless payment is made. The stolen information frequently includes customer data from government entities, healthcare providers, and other high-value targets. Unfortunately, paying the ransom does not guarantee data recovery and may encourage even more future attacks.
Another major concern for organizations is regulatory fines and legal fees, along with the loss of reputation and customers. If the organization has cyber insurance, the premiums tend to go up and the coverage goes down.
The Part Ransomware-as-a-Service Plays in Cyber Extortion Attacks
Cybercrime is increasingly easier because of RaaS. Companies like RansomHub and Knight sell ransomware kits that allow poorly skilled people to use ransomware deployment for their own purposes.
As a result, there are an increasing number of independent attackers working alone, often using leaked or repurposed ransomware code. The rise in small-scale, initial access brokers – criminals who sell entry into networks – has made it easier for attackers to move quickly from initial compromise to full-scale attacks.
Once inside a computer system, attackers often perform privilege escalation to gain broader control, conduct data theft, and execute lateral movement across a victim’s network. Consequently, the attack is harder to detect and contain.
Exploiting Vulnerabilities at a New Level
Ransomware groups are leveraging software that is widely used to exploit known vulnerabilities to conduct double extortion attacks. Two notable examples from 2025 include CVE-2024-50623 and CVE-2023-22527.
CVE-2024-50623 includes Cleo Harmony and VLTrader products, and Cleo was able to execute arbitrary commands. CVE-2023-22527 includes Atlassian Confluence servers that provided unauthenticated access to computer operating systems.
All these exploits show how patching and managing software vulnerabilities are critical. Failing to apply security updates risks severe breaches, stolen data, and disruption to critical systems. Unpatched security weaknesses can also lead to significant data exposure, increasing the potential damage when an attack occurs.
Cybersecurity and the Human Element
When it comes to maintaining cybersecurity, humans remain a persistent vulnerability. An unwary person can be the victim of a phishing attack, which is the most frequent form of an initial security compromise.
Phishing attacks lead to stolen credentials, privilege escalation, and unauthorized access to a victim’s system. Poorly trained staff, weak passwords, and absent multi-factor authentication (MFA) continue to put organizations at risk.
Ransomware Attackers Often Go Unpunished
Many ransomware gangs go unpunished because they operate from countries that have no extradition treaties or weak cybercrime enforcement.
The regions worst affected by cyberattacks in 2025 include:
- North America and the U.S. in particular, which has had its manufacturing and healthcare industries targeted by cybercriminals
- Europe, which is suffering coordinated attacks on infrastructure and public services
- The Asia-Pacific region, which is seeing more attacks on supply chains
- Latin America, which is seeing an increase in attacks targeting small and mid-sized businesses because local cyber criminals are using the RaaS model
Attacks Are on the Rise
Ransomware actors impact the global economy. Attacks and ransom demands by malicious actors are on the rise, too.
A report from Cybercrime Magazine predicts that by the end of this decade, an attack will occur every two seconds and cost victims around $275 billion dollars annually.
The critical infrastructure sectors of governments, healthcare, and education have become particularly vulnerable to ransomware activity. Hospitals have suffered from ransomware attacks that caused patient record encryption. The education sector has also become a frequent target of threat actors because of its limited budgets, extensive networks, and critical files containing sensitive information about students.
Cybercriminals or threat actors have started using AI (artificial intelligence) technology in software exploitation, file encryption, and the creation of more advanced phishing emails. Additionally, there is an abundant supply of ransomware kits, data leak sites, and tutorials on the dark web, as well as support services for cyber attackers.
Ransomware Can Be Used for Psychological Warfare and Harassment
Modern ransomware disruptions have largely been categorized under psychological warfare. This warfare takes various forms, including:
- Harassment via a phone call or email
- Social media account takeovers
- Public shaming on data leak sites
During the MGM Resorts attack, the attackers used social engineering techniques via LinkedIn®, made false calls for tech support, and exploited trust to gain initial access to sensitive information in the MGM Resorts system. This attack damaged the organization’s reputation, caused a financial loss, and led to a lack of customer trust in MGM results.
Who’s Behind the Attacks?
Organized cybercrime groups like LockBit, Conti, and BlackCat operate like structured businesses under the Ransomware as a Service (RaaS) model. They provide customer support along with revenue-sharing models.
In some situations where politically important targets are involved, some nation-state actors are suspected. Governments have associated Lazarus from North Korea and APT28 from Russia with cyber extortion campaigns aimed at rivals or funding regimes under economic sanctions.
Because ransomware kits are easy to obtain, organized groups, solo acts, and random hackers can all perform attacks. The easier it has become to obtain these tools, the more small-scale, opportunistic attacks we will see.
Thankfully, ransomware attacks are now being addressed by governments and law enforcement. In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are developing supply and demand partnerships in the private sector to provide better guidance for organizations dealing with ransomware.
Internationally, things are also getting better. INTERPOL and Europol have collaborated on coordinated ransomware network takedowns and supported information sharing across borders.
However, inconsistent laws and weak cybercrime frameworks in some countries obstruct the prosecution of cybercriminals. Debates continue over banning ransom payments to remove the financial incentives to cyber extortion.
Using AI For Attacks
AI is becoming more popular in both the defense and offensive sides of technology. For example, the FunkSec group uses AI to create polymorphic malware. This malware can:
- Bypass traditional detection systems
- Automate tailored phishing attacks
- Analyze previously stolen data sets to identify high-value targets for extortion
AI is used for threat detection and response systems on the defensive side, but the use of AI on the offensive side seems to be gaining more momentum. While AI presents new challenges for security professionals, operational security and online surveillance must always remain top priorities.
Ransomware Defense Strategies
While it might not be possible to completely eliminate the threat of ransomware, there are several steps that organizations and cybersecurity professionals can take to minimize their exposure in the current threat landscape:
- Implement multi-factor authentication
- Conduct scheduled software updates
- Train staff on phishing scams and patch management
- Store data offline to prevent uninterrupted access to information and an excessive ransom demand
- Implement incident response plans to enable tailored risk responses to be triggered and relevant parties to be informed
- Coordinate across industry sectors and international borders
The threat of cyberattacks and breaches of sensitive data cannot be ignored. As businesses prioritize innovation, they must simultaneously focus on bolstering their cybersecurity systems. Today's businesses need to take more cybersecurity measures and not only consider whether they will be targeted, but how prepared they are to deal with it when an attack occurs.
The growing sophistication of modern-day attack vectors, combined with their escalated aggressiveness, has made the need to act urgent. Cybersecurity is no longer confined to IT – it now touches every aspect of business. Protecting against cyber threats in the ransomware threat landscape should be a priority for all companies, big and small.
Ultimately, combating ransomware and cyber extortion is a global challenge. But with resilience, intelligence, and cooperation, it’s one we can meet.
The B.S. in Cybersecurity at AMU
If you’re interested in learning more about cyber warfare, cybercrime, digital forensics, and cybersecurity, consider pursuing American Military University’s online Bachelor of Science in Cybersecurity. Courses in this cybersecurity program are taught by experienced faculty members with a deep knowledge of the cybersecurity industry.
This degree program offers a variety of courses, including biometrics, computer and network security, and cryptography concepts. Students can also choose from one of five concentrations to suit their professional goals.
For more details, visit AMU’s information technology degree program page.
LinkedIn is a registered trademark of the LinkedIn Corporation.