Anti-Ransomware Day was established on May 12 in 2020 by INTERPOL in collaboration with Kaspersky to commemorate the anniversary of the infamous WannaCry ransomware attack that occurred on May 12, 2017.
The purpose of Anti-Ransomware Day is to raise global awareness about the threats “posed by ransomware and to promote best practices for prevention and response.”
With International Anti-Ransomware Day approaching on May 12, Kaspersky releases its annual report on the “evolving global and regional ransomware cyberthreat landscape.”
According to Kaspersky Security Network data, the Middle East, APAC and other global regions are leading by the “share of users attacked by ransomware, with Latin America, CIS (Commonwealth of Independent States) and Europe trailing behind.”
Globally from 2023 to 2024 the share of users “affected by ransomware attacks increased to 0.44% by 0.02 p.p.”
The seemingly small percentage is typical for ransomware and is explained by the fact that attackers often “don’t distribute this type of malware on a mass scale, but prioritize high-value targets, which reduces the overall number of incidents.”
In the Middle East and Asia-Pacific regions, ransomware affected “a higher share of users due to digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity.”
Enterprises in APAC were targeted, “driven by attacks on infrastructure and operational technology, especially in countries with growing economies and new data privacy laws.”
And as countries expand their digital economies, ransomware attacks are on the rise, “particularly in the manufacturing, financial and government sectors.”
Limited cybersecurity awareness and resources “leave many organizations vulnerable, though the smaller attack surface means the region remains behind global hotspots.”
Latin America also experiences ransomware attacks, “particularly in Brazil, Argentina, Chile and Mexico.”
Manufacturing, government, and agriculture, as well “as critical sectors such as energy and retail are targeted, but economic constraints and smaller ransoms deter some attackers.”
Despite this, the region’s growing digital adoption is “increasing exposure.”
The Commonwealth of Independent States sees “a smaller share of users encountering ransomware attacks.”
However, hacktivist groups such “as Head Mare, Twelve and others active in the region often use ransomware such as LockBit 3.0 to inflict damage on target organizations.”
Manufacturing, government and retail sectors “are the most targeted, with varying levels of cybersecurity maturity across the region affecting security .”
Europe is consistently targeted with ransomware but benefits from robust cybersecurity frameworks and regulations that deter some attackers.
Sectors such as manufacturing, agriculture, and education “are often targeted, but mature incident response and awareness limit the scale of attacks.”
The region’s diversified economies and strong defenses “make it less of a focal point for ransomware groups than regions with rapid, less secure digital growth.”
AI tools were increasingly used in ransomware development, as demonstrated by FunkSec, a ransomware group that “emerged in late 2024 and quickly gained notoriety by surpassing established groups like Cl0p and RansomHub with multiple victims claimed in December alone.”
Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics — “combining data encryption with exfiltration — targeting sectors such as government, technology, finance, and education in Europe and Asia.”
The group’s heavy reliance on AI-assisted tools sets it apart, “with its ransomware featuring AI-generated code, complete with flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection.”
Unlike typical ransomware groups demanding millions, FunkSec “adopts a high-volume, low-cost approach with unusually low ransom demands, further highlighting its innovative use of AI to streamline operations.”
The RaaS (Ransomware-as-a-Service) model remains the “predominant framework for ransomware attacks, fueling their proliferation by lowering the technical barrier for cybercriminals.”
In 2024, RaaS platforms like RansomHub thrived “by offering malware, technical support and affiliate programs that split the ransom.”
This model enables less-skilled actors to execute “sophisticated attacks, contributing to the emergence of multiple new ransomware groups in 2024 alone.”
In 2025, ransomware is expected to evolve by “exploiting unconventional vulnerabilities, as demonstrated by the Akira gang’s use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks.”
Attackers are likely to increasingly target “overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalizing on the expanding attack surface created by interconnected systems.”
As organizations strengthen defenses, cybercriminals will refine their tactics, focusing “on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time.”
The proliferation of LLMs tailored for cybercrime will “amplify ransomware’s reach and impact.”
LLMs marketed on the dark web lower the barrier “to creating malicious code, phishing campaigns and social engineering attacks, allowing less skilled actors to craft convincing lures or automate ransomware deployment.”
As more concepts such as RPA (Robotic Process Automation) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are adopted by developers, we can expect ransomware devs to “use these tools to automate their attacks as well as new code development, making the threat of ransomware even more prevalent.”