Double extortion is bad enough—that’s the current tactic favored by ransomware groups—but the emerging quadruple extortion promises to further complicate mitigation and response by targeted organizations, prompting an escalation in extortion payments.  

Yet that’s just one piece of evidence that ransomware continues to evolve despite high-profile takedowns by law enforcement—they just reincarnate or rebrand as new groups, new research by Akamai shows. Of course, the biggest game-changer is GenAI, as RasS operators like Black Basta and FunkSec press LLMs into service to generate code and greatly improve the social engineering techniques that give bad actors a foot in the door and to scale up attacks, opening the door for even less sophisticated actors to execute damaging attacks. 

“Ransomware groups continue to seek additional ways to generate profit, such as by pressuring victims and weaponizing compliance,”  researchers at Akamai note in their Ransomware Report 2025. 

Noting that ransomware tactics have moved “away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods,” Nathaniel Jones, vice president, security and AI strategy and field CISO at Darktrace, says, “rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.” 

Their efforts are paying off, with groups in 2025 extorting more than $724 million in cryptocurrency using TrickBot malware family strains, popular among ransomware operators.  

“Criminals have established a scalable business model, and we expect to see ransomware attack volume to continue growing,” says Trey Ford, chief strategy and trust officer at Bugcrowd.  

“We also need to keep in mind that there will be a gap in reported incidents versus total ransomware incidents,” says Ford.  

One of the most dramatic shifts in the threat landscape, though, is the rise of hybrid ransomware hacktivist groups blending political and ideological motives with criminal intent. Those groups spent last year leveraging RaaS platforms like CyberVolk, Dragon RaaS, KillSec, Stormous and DragonForce to amp up the impact of their attacks. The hacktivist groups Head Mare, Twelve and Nullbulge tapped LockBit ransomware to provoke political disruption, with the latter targeting AI-driven online communities and platforms as well as gaming tools.  

The hacktivist groups Head Mare, Twelve, and NullBulge often use LockBit ransomware (built from leaked or publicly available builders) for political disruption. NullBulge specifically uses it to target online communities and platforms that are operating with AI and online gaming tools.  

“The growth of RaaS marketplaces places greater opportunity on the side of threat actors who no longer must extract ransom payments to see profit, as they can use subscription models to return revenue for their ransomware development and deployment,” says Jones.  

The report also found that the goals and strategies of cryptominers are in accordance with ransomware groups—almost 50%  of the cryptomining attacks analyzed “targeted nonprofit and educational organizations, likely because they possess substantial computational resources and are less secure than other industries,” the researchers said. 

Defenders must act accordingly. 

“Larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology), mitigating exposure to this attack pattern; it is still an unsolved space,” says Ford. 

And James Maude, field CTO at BeyondTrust, says that “to effectively deal with ransomware and other threats, we need to invest in shifting left and think more about securing identities and access to reduce our attack surface and blast radius in the event of compromise rather than just thinking post breach.” 

Ransomware and other threats, he contends, “are only as effective as the privileges and access they manage to acquire, so if we can implement better hygiene and focus on least privilege, then the threat actors are far less likely to ransomware us in the first place.”