Veeam recently held its user event, VeeamON 2025, in San Diego. The annual show has been used by the data resilience market leader to announce new products and innovations to the thousands of attendees. One mainstay of the event has been the release of Veeam’s state of ransomware report that highlights key trends and how the fight against this trend is progressing.
With the RSAC security show on tap, I thought it made sense to look at the highlights of the report and implications to security teams. The most glaring data point is how prevalent ransomware is today. Nearly 70% of companies have experienced a ransomware attack in the past year, slightly down from 75% the year before. Don’t be fooled by this improvement. Ransomware has advanced, cybercriminals are smarter and companies have a harder time recovering from ransomware attacks, according to Veeam’s “2025 Ransomware Trends & Proactive Strategies” report.
The report, based on a survey of 1,300 organizations worldwide, uncovered a major shift in how cybercriminals operate. They’re skipping their usual tactic of locking down systems, going straight for data theft instead. The new tactic is to break into a network, extract sensitive data, such as financial records or intellectual property, and then threaten to release it unless a ransom is paid. These exfiltration-only attacks happen fast and are harder to detect, especially when companies have weak security.
It’s not just the tactics that have changed, but also the groups carrying out ransomware attacks. In 2024, global law enforcement took down groups such as LockBit, BlackCat and Black Basta. This enforcement caused smaller groups to form, many of which now focus on mid-sized businesses with weaker defenses.
These cybercriminals are also launching attacks much faster. Last year, for example, two of the top ransomware groups carried out attacks in less than 24 hours after gaining access. Historically, threat actors would break into an environment, and it could take weeks or even months to determine what data to steal. The accelerated speed of entry to theft removes most of the time security teams have to find the anomalies that could lead to indicators of compromise.
One positive trend is that fewer companies are giving in to ransom demands. In 2024, 36% of victims refused to pay at all, and many who did managed to negotiate much lower payments. On average, 82% of those who paid ended up paying less than the original demand. The typical ransom dropped by nearly half, hitting a low of $110,000 by the end of 2024.
Companies that worked with incident response experts were far less likely to pay, proving how important outside help can be during a crisis. It’s hard to call this a win, but at least the financial damage is minimized — although one could argue the bad actors are making it up in volume.
One trend I’ve seen over the years is that paying a ransom doesn’t guarantee safety, and the Veeam report bore that out. It found 69% of companies that paid a ransom were attacked again. Additionally, new laws and international efforts are discouraging payments altogether. The International Counter Ransomware Initiative, backed by 68 countries, is pushing organizations to strengthen defenses rather than fund cybercriminals. Some governments have even banned public sector ransom payments.
The real challenge comes with recovery. That’s where many companies fall short. The majority of the survey respondents — 89% — said attackers targeted their backups. On average, a third of those backups were tampered with or deleted. Fewer than 10% recovered 90% of their servers on time, and barely half recovered most of their systems at all.
Don’t Skip the Best Practices
Why is recovery so difficult? Many companies skip basic best practices. Only 32% used immutable backups that can’t be altered, while 28% tested their restored data in a safe environment before bringing systems back online. Shockingly, nearly 40% restored data directly into live environments without checking for malware, opening the door to reinfection and extended downtime.
I’ve talked to CISO after CISO who has confessed that they restored infected data, which then led to another breach and another ransomware request. It’s critical that companies have an immutable copy of clean data to recover from.
While technology is critical, the report highlighted how often companies underestimate the important role people play in ransomware response. Only 26% had a clear process for deciding whether to pay a ransom, and 30% had a defined chain of command for handling attacks. Over a third of companies let internal staff communicate directly with cybercriminals, instead of bringing in professional negotiators, which is risky.
Although 98% of companies had a ransomware response plan, less than half included key details like verified backups (44%), clean backup copies (44%), alternative infrastructure (37%), containment plans (32%) or a clear chain of command (30%). The companies that recovered fastest were the ones that had these details locked down and practiced their response ahead of time.
Most companies recognize they need to do better. Nearly all of those surveyed said they plan to increase their budgets for both prevention and recovery in 2025. However, Veeam warned that throwing money at the problem isn’t enough. Ransomware isn’t something companies can completely avoid. The real difference comes down to resilience, meaning how quickly and effectively a company can get back on its feet after an attack.
The companies that recover quickly make sure their backups are locked down and clean before restoring anything. They also don’t solely rely on their IT teams to fight fires. They invest in good security habits, such as updating systems, limiting access and using better detection tools. Lastly, they don’t handle everything on their own. They hire incident response teams and negotiators who know how to manage the situation.
In other words, the companies that bounce back fastest are the ones that plan ahead, don’t cut corners when it comes to security and know when to ask for help.
Deutsch 
English