For years, ransomware’s formula for success has been simple and effective—encrypt or steal an organization’s critical data, then extort them into paying for recovery or silence. But recently, governments worldwide have stepped forward with efforts to regulate or prohibit payments.
This past July, the UK announced plans to prohibit public sector bodies from paying ransoms. This includes health care providers, local councils, schools, and regulated critical national infrastructure operators. In the US, several proposals are underway that would mandate the disclosure of ransom payments to regulators. As of September 2025, Ohio will require local governments to formally approve ransomware payments made by counties, cities, school districts, and libraries.
Yet, while these proposals continue to develop, many organizations continue to pay, creating a never-ending cycle that ensures that ransomware remains a vital cog in the cybercrime economy. According to the 2025 Verizon DBIR, ransomware was present in 44% of all breaches, representing a 37% year-over-year increase. And Cybersecurity Ventures estimates that Cybercrime cost the world $9.5 trillion in 2024.
A significant part of ransomware’s success relies heavily on data exfiltration, which significantly increases the pressure on victims to pay, even for those with reliable backups in place. The 2025 DBIR highlights why the pressure works:
- The Cost of Business Interruption: Third-party involvement in breaches has doubled to 30%, and supply chain attacks are extending downtime. According to research from Big Panda, the average cost per minute of downtime has escalated to $14,056 for all organizations and $23,750 for large enterprises.
- The Explosion of Data exposure: Secrets and credentials are increasingly leaked in public repositories and underground markets. This provides attackers easy access to sensitive systems. The DBIR reports that 441,000 secrets were found leaked on public code repositories.
- The Vulnerability of SMBs: Small and medium-sized businesses are particularly vulnerable, lacking the resilience to withstand prolonged outages, ultimately making them more likely to pay. Ransomware appeared in 88% of SMB breaches compared to 39% of large enterprise breaches.
At the end of the day, the costs of downtime, reputational harm, and regulatory exposure often dwarf the ransom demand, which makes it easy to see that businesses may opt to authorize payments. This may even be the case in those cases where recovery remains uncertain.
Another reason for ransomware’s endurance is its continued evolution. For example:
- Threats are more challenging to detect than ever, thanks to increasing use of AI-driven campaigns and polymorphic ransomware, which possesses a “shapeshifting” capability that traditional defenses struggle to detect, let alone stop.
- Criminals are exploiting vulnerabilities such as unpatched software flaws that exist in internet-facing, edge, or gateway devices. Today, exploitation accounts for 20% of ransomware-related initial access. Of these, zero-day exploits targeting edge devices have increased by a factor of eight year over year.
- ileless and destructive ransomware operate entirely in a system’s memory, allowing ransomware to bypass traditional recovery strategies, even in well-prepared organizations, which ultimately struggle to restore operations.
This evolution continues as governments debate bans and disclosure rules. As onlookers wait to see how these discussions play out, cybercriminals are successfully expanding the attack surface. Rather than waiting for outside forces to weigh in, a business’s best bet is to shift from payouts to prevention in the form of preemptive defenses and resilience.
Preemptive defenses and resilience feature AI-powered anomaly detection capable of identifying unusual behavior before encryption or exfiltration occurs along with Zero Trust architectures that enforce least privilege and limit lateral movement. It also features ephemeral credentials and continuous monitoring to prevent credential abuse, a unified incident response that integrates IT, security, and business continuity to shrink downtime as well as regular testing and tabletop exercises to ensure response strategies keep pace with evolving ransomware tactics.
If you’ve read the 2025 DBIR, you already know that ransomware is growing at an alarming rate. You also know, perhaps from firsthand experience, that fighting off these attacks is a bigger struggle than ever before. While discussions around disclosure mandates and ransom payment bans gain momentum, many victims will continue to opt for payouts as the best course of action, but that doesn’t guarantee full system recovery or help the business avoid future attacks. The best approach is to eliminate ransomware altogether by deploying prevention, resilience, and structural defenses.
____
About
Brad LaPorte – Chief Marketing Officer at Morphisec and former Gartner Analyst
Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.
Join our LinkedIn group Information Security Community!
