Ransomware cases up 49% in H1 2025
Ransomware attacks have surged globally in the first half of 2025, exposing the growing scale and sophistication of organised cybercrime. Experts warn that far from amateur operations, many ransomware groups now operate like corporations, recruiting skilled professionals and deploying advanced tactics to infiltrate critical systems.
Data from threat exposure firm NordStellar shows ransomware cases rose by 49% in the first six months of 2025 compared to the same period last year. While the United States remains the most targeted, cybercriminal activity is increasingly affecting businesses in other regions, including the Middle East and Africa.
Regional experts say the Gulf’s rapid digital transformation and expanding cloud adoption may widen the attack surface for such threats if defences lag.
Vakaris Noreika, a cybersecurity researcher at NordStellar, says over 60 ransomware groups are currently active out of more than 200 known to law enforcement and intelligence agencies. Many of these groups are highly selective in their recruitment.
“These groups are mostly looking for top talent in cybersecurity — their requirements tend to consist of wanting an individual with an experienced background in specific fields and a proven track record,” he says.
Recruitment methods include private invitations and rigorous screening to prevent infiltration by law enforcement. Some groups refuse to work with outsiders altogether.
Noreika warns that public misconceptions persist about who is behind ransomware operations. While popular belief still links attacks to lone actors or opportunistic hackers, the reality is increasingly corporate.
“Ransomware groups are organised crime, and it’s extremely dangerous to underestimate how equipped they are to carry out their attacks,” he says. “They function like a corporation, with different individuals assigned to specific tasks so that the operation runs smoothly.”
This structure includes training programmes, defined roles, and even insider access. In some cases, employees at targeted organisations may collaborate with attackers or be used to bypass internal security.
Another trend is the rise of ransomware-as-a-service (RaaS), which allows individuals with less technical expertise to lease tools from more advanced groups. “With RaaS, ransomware can scale even more exponentially, allowing more individuals to carry out ransomware attacks and maximising the ransomware group’s profits,” says Noreika.
In the Middle East, concerns are growing over attacks targeting critical infrastructure. Although the majority of confirmed breaches in the region have not been disclosed publicly, analysts note a rise in attempts against energy, healthcare, and logistics networks.
“Companies in the healthcare sector cannot afford any downtime, and losing access to patient medical records can sometimes literally be a matter of life or death,” says Noreika. He adds that such vulnerabilities make hospitals more likely to pay ransom demands quickly. Similarly, manufacturers working on just-in-time production lines face significant losses from even brief disruptions.
Globally, the financial impact of ransomware has escalated. According to data from Chainalysis, victims paid over $1.1 billion in ransoms in 2024, up from $567 million in 2022. With attacks rising further this year, that figure is expected to climb again.
Noreika points out that outdated systems, weak authentication practices, and unpatched vulnerabilities remain common entry points. He says many organisations are still relying on passwords alone, which can be compromised through leaked credentials on the dark web.
“Ransomware groups operate with meticulous organisation and expertise, making any security gap a dangerous liability,” he says.
He stresses that raising employee awareness through training can significantly reduce the risk of user error, such as clicking phishing links or sharing credentials. Organisations should also invest in continuous monitoring and improve the detection of threats before they escalate into breaches.
In the UAE and across the GCC, authorities have called for tighter collaboration between private firms and government agencies to improve cyber readiness. With Dubai hosting global tech conferences and Abu Dhabi developing AI hubs, analysts say the region could become both a target and a leader in cyber defence innovation — if investment in resilience keeps pace with digital growth.
Image: An emerging trend is the rise of RaaS, which allows individuals with less technical expertise to lease tools from more advanced groups. Credit: Sora Shimazaki
