The ransomware is no longer fought with Talonarios, this is the main conclusion that the reports “Ransomware Trends of 2024 and 2025” of Veeam, where a clear turn is shown in the way in which the organizations of Europe, the Middle East and Africa (EMEA) manage the attacks: increasingly the criminals are paid less.
However, the 22 % decrease in paid bailouts should not be interpreted as a decline of the threat, but as a change in the defense strategy and the very nature of the attacks.
More recovery, less ransomware payments
The main conclusion is that paying ceases to be synonymous with recovering the systems. In 2023, 54 % of the companies that yielded to extortion managed to access their data again. A year later, only 32 % succeeded, which reflects the low reliability of criminals. In parallel, companies have strengthened their contingency plans: while in 2023 only 14 % managed to restore information without negotiating, in 2024 that percentage amounted to 30 %.
The 22 % decrease in subscribers should not be interpreted as a decline in the threat, but as a change in the defense strategy and the nature of the ransomware nature
“Since the attackers continue to use unreliable methods to return data and that organizations improve their recovery capabilities, it is not surprising that we are observing a decrease in the number of rescues paid. But that does not mean that the threat of ransomware has disappeared,” says Tim Pfaelzer, senior vice president and general director for Emea de Veeam.
The executive also warns that cybercriminals no longer depend only on the encryption: “We are seeing how some completely renounce the ransomware and, instead, they steal data to directly extort or sell them in the black market. Payments may decrease, but that does not mean that the attacks will be reduced.”
European regulations and pending resilience
The normative reinforcement from Brussels, with frames like NIS2 or Dora in the financial sector, is pushing organizations to better shield their infrastructure. However, the advance is unequal. The study reveals that only 37 % of companies in EMEA have alternative systems ready to operate in case of attack. That implies that 63 % still depends on the main network, being exposed to stops of several weeks until it is completely cleaned.
The economic consequences of such inactivity are devastating: recent investigations estimate that business interruption can exceed one million euros per hour in large companies, unsustainable figures even for leading actors in their sectors.
“It is clear that organizations have placed recovery at the center of their data resilience, which is a step in the right direction. But there is still much to do,” Pfaelzer added. In his opinion, alternative infrastructure and robust backups are the basis for “completely eliminating the need to pay bailouts” and guarantee lasting improvements in digital protection.
The role of police operations
To this panorama is added another factor: the impact of international operations against criminal groups. Lockbit’s disarticulation, one of the most active Ransomware clans, has weakened the attackers, although he has not eradicated them. According to Veeam, these actions have an immediate deterrent effect, but organizations cannot be trusted.
Experts agree that the future of business cybersecurity goes through a combination of three elements: regulatory compliance, investment in technological resilience and international cooperation to neutralize criminal networks. Without that triad, the reduction of paid rescues can be a temporary mirage.
The lesson for companies
The change in trend is clear: it is no longer enough to wait for insurance to cover the rescue or trust that the attackers fulfill their word. Data resilience becomes the strategic axis of modern organizations. Those that implement contingency plans, encrypted backups and alternative architectures will have more chances of maintaining their activity without falling into the payment trap.
