Report: Ransomware Remains Most Costly Form of Attack

The newly released Coalition 2025 Cyber Claims Report offers a detailed analysis of the cyber threat landscape in 2024, focusing on ransomware trends, initial access vectors, data exfiltration practices, and exploited vulnerabilities.
Ransomware remained a significant threat in 2024, with claims stabilizing yet continuing to be the most costly and disruptive type of cyberattack. The average ransom demand decreased by 22% year-over-year to $1.1 million, with the latter half of 2024 seeing demands fall below $1 million for the first time in over two years.
Among the various ransomware variants, Akira was the most reported, accounting for 13% of claims, while Black Basta, though less frequent, had the highest average demand at $4 million.
Initial access vectors (IAVs) played a crucial role in ransomware incidents. Stolen credentials were the most common IAV, involved in 47% of ransomware claims, followed by software exploits at 29%.
Perimeter security appliances, such as VPNs and firewalls, were frequently targeted, with products from vendors like Fortinet, Cisco, SonicWall, and Palo Alto Networks being commonly compromised.
Additionally, Coalition detected over 5 million internet-exposed remote management solutions and tens of thousands of exposed login panels, highlighting the risks associated with exposed credentials and misconfigured systems.
Data exfiltration has become a standard component of ransomware attacks. Threat actors often steal sensitive data before encrypting systems, using the threat of public exposure to pressure victims into paying ransoms. This tactic not only increases the likelihood of ransom payments but also escalates the severity of incidents, leading to more substantial insurance claims due to data privacy violations.
The report also highlights a significant increase in software vulnerabilities. Coalition forecasts that over 45,000 software vulnerabilities will be disclosed in 2025, marking a 15% increase over the first 10 months of 2024. This surge underscores the importance of proactive vulnerability management and patching practices to mitigate potential exploitation by threat actors.
These findings emphasize the evolving nature of cyber threats and the necessity for organizations to adopt proactive cybersecurity measures. Regular patching, securing remote access points, and implementing robust data protection strategies are critical steps in enhancing resilience against cyberattacks.
Takeaway: Ransomware is still the biggest threat out there, full stop. Every year we see these little dips in average ransom amounts and folks start to breathe a little easier, but that’s a mistake.
The business of ransomware is still booming, and it’s not slowing down. Why would it? The risk is low, the upside is massive, and the odds of getting caught are basically zero for most of these crews.
The truth is, we don’t even know how big the problem really is. Most of these attacks never get reported. They don’t show up in breach notifications, they don’t hit the headlines, and they definitely don’t get tallied in public datasets.
After law enforcement put the heat on groups like LockBit and BlackCat/ALPHV, a bunch of operators stopped posting their victims to leak sites entirely. That wasn’t surrender—it was strategy. Keep a low profile, stay out of the spotlight, and keep the money flowing.
Yes, the average ransom payout dipped a bit, but that’s not the story. The real story is more attacks, more losses, and sharper tactics. Crews are going after bigger fish—targets that feel pain fast when operations get frozen. That’s how you get higher demands and faster payouts. It’s efficient. Ruthless. Profitable.
So no, ransomware’s not going anywhere any time soon. It’s evolving, it’s scaling, and attackers are reinvesting in improving their capabilities. It’s still the biggest cyber threat organizations face, whether they know it or not.
Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!