The U.S. was the reported victim in 58% of ransomware posts.

Credentials for victims of the Play, Akira, and Rhysida ransomware groups were found on cybercrime marketplaces between 5 and 95 days prior to the reported attack.

The average time between credentials being found and the reported ransomware attack was 2.5 weeks

Ransomware cases globally dipped by 32% in March (600 attacks) compared to February.

Safepay was the third most active threat group in March, with 42 attacks.

Babuk2 was the most active threat group, responsible for 14% of all attacks in March. Babuk2 drove ransomware activity with 84 attacks in March. This represents a 37% increase for Babuk2 from January (61 attacks).

Ransomware cases increased year-on-year by 46% in March.

Global median dwell time was 5 days when adversaries notified (notably in ransomware cases).

Akira and RansomHub shared second place of most active threat group in March, with 62 attacks each.

600 ransomware attacks were recorded globally in March.

Ransomware attacks rose by 37% since last year.

CIOs experienced a 30% decline in their ransomware preparedness rating post-attack.

Pre-attack confidence among ransomware victims often doesn't reflect reality.

94% of energy firms are pushing to adopt AI-driven cybersecurity due to revenue losses and disruptions caused by ransomware and phishing.

The total value of ransomware payments fell in 2024.

The percentage of companies impacted by ransomware attacks has slightly declined from 75% to 69%.

There was a noticeable decrease in the median ransom amount paid.

For organisations without the proper IT and cybersecurity maturity, often SMBs, ransomware is present in 88% of breaches

A pre-defined “chain of command” was included in the ransomware playbook for 30% of organizations.

Ransomware is now present in 44% of breaches.