The average time between credentials being found and the reported ransomware attack was 2.5 weeks

The U.S. was the reported victim in 58% of ransomware posts.

Credentials for victims of the Play, Akira, and Rhysida ransomware groups were found on cybercrime marketplaces between 5 and 95 days prior to the reported attack.

Akira and RansomHub shared second place of most active threat group in March, with 62 attacks each.

Safepay was the third most active threat group in March, with 42 attacks.

Ransomware cases increased year-on-year by 46% in March.

Babuk2 was the most active threat group, responsible for 14% of all attacks in March. Babuk2 drove ransomware activity with 84 attacks in March. This represents a 37% increase for Babuk2 from January (61 attacks).

Global median dwell time was 5 days when adversaries notified (notably in ransomware cases).

Ransomware cases globally dipped by 32% in March (600 attacks) compared to February.

600 ransomware attacks were recorded globally in March.

A pre-defined “chain of command” was included in the ransomware playbook for 30% of organizations.

Of organizations that paid a ransom, 82% paid less than the initial ransom.

94% of energy firms are pushing to adopt AI-driven cybersecurity due to revenue losses and disruptions caused by ransomware and phishing.

The FBI received 3,156 complaints about ransomware in 2024 (versus 2,825 in 2023 and 2,385 in 2022).

Organizations that prioritize data resilience can recover from ransomware attacks up to seven times faster.

CISOs experienced a 15% drop in their ransomware preparedness rating post-attack.

36% of organizations affected by ransomware opted not to pay a ransom.

The total value of ransomware payments fell in 2024.

Of organizations that paid a ransom, 60% paid less than half of the initial ransom.

Less than half of organizations had key technical elements included in their ransomware playbook.