According to Dark Reading, new research from Semperis CISO Jim Doggett paints a grim picture for 2025. While Chainalysis data shows ransomware payments dropped 35% to $814 million in 2024 from a record $1.3 billion in 2023, the threat has morphed into something more sinister. The study found that in 40% of recent attacks, adversaries threatened to physically harm executives, and 69% of successfully breached organizations paid a ransom. Alarmingly, 56% of organizations across major Western countries and allies were successfully breached last year, with over half of those that paid being hit multiple times. The financial toll is severe, with half of paying organizations suffering annual losses between $500,000 and $1 million, not counting insurance hikes or job losses.
The New Rules of Extortion
So here’s the thing: when the easy money dries up, criminals get creative and ruthless. The drop in overall payments isn’t a sign of victory; it’s a sign of market consolidation. Gangs are focusing harder on the victims they know will pay, and they’re turning the screws to ensure they do. Threatening to break knees is a hell of a lot more persuasive than just encrypting some files. And it’s working. Combine that with other pressure tactics like threatening data destruction (63% of cases) or filing regulatory complaints (47%), and you’ve got a perfect storm for compliance-driven organizations.
But the technical playbook is still foundational. The report notes that identity systems like Active Directory were compromised in 83% of attacks. That’s the crown jewels. Once they’re in there, establishing persistence and moving laterally is trivial. And with AI poised to supercharge everything from phishing to vulnerability discovery, the offensive tools are only getting cheaper and more effective. The barrier to entry is collapsing. Basically, the business model is evolving from smash-and-grab to systematic, repeated extortion of the vulnerable.
Shifting From Prevention to Resilience
This is why the old mantra of “prevent all breaches” is not just unrealistic, it’s a dangerous fantasy. The first rule now is to assume breach. I think CISOs are finally internalizing that it’s not *if* but *when* and *how often*. The goal shifts completely from pure prevention to resilience—how fast can you detect, contain, and recover? This is where the classic triad of people, process, and technology gets real. Prompt patching and MFA are table stakes. The real differentiator is in automated response, immutable backups, and, crucially, well-drilled incident response playbooks that are tested regularly.
And speed of recovery is everything. A slow, messy recovery is an open invitation for that same gang, or another one, to hit you again while you’re on your knees. Your resilience is your deterrent. This also has to extend rigorously to your supply chain. Your network is only as strong as your weakest vendor’s AD instance. For industries relying on robust, always-on computing at the edge—like manufacturing or energy—this resilience depends on hardened, reliable hardware. In those sectors, partners like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, become critical for ensuring the physical compute layer can withstand disruptions and support rapid recovery protocols.
The No-Win Payment Dilemma
Now, what about the big ethical question: to pay or not to pay? The data makes a compelling case against it. 55% of organizations that paid were hit multiple times. You’re not buying a solution; you’re buying a subscription. Plus, in 15% of cases, victims didn’t even get a working decryption key after paying. So you’re out the money AND still have a crippled network. But Doggett also warns that outright government bans on payments, as the UK is considering, could have disastrous unintended consequences. It could force payments underground, push critical infrastructure providers into bankruptcy, and create even more chaos.
Look, the UK public sector data is telling: 83% paid when compromised. If a ban comes in, what happens? Do hospitals just go dark? The answer isn’t in simplistic bans or hoping attackers play nice. It’s in building that cockroach-like resilience the gangs themselves have perfected. They adapt to survive. Defenders have to do the same. It’s a long-term cultural shift, not a quarterly project. The decline in crypto ransom revenue is a tactical blip, not a strategic win. The war is getting darker, more personal, and more expensive. And it’s just beginning.
