Ransomware in 2025: what is actually changed.
The numbers are uglier, the playbook is faster, the targets are smaller. If you run a Canadian SMB, this is the threat landscape — without vendor exaggeration.
The ransomware industry does not care whether you read security blogs. Their median target is a 25-employee business that had not thought about it. Here is what 2025 actually looks like, drawn from Statistics Canada's 2023 Canadian Survey of Cyber Security and Cybercrime, CIRA's 2024 Cybersecurity Survey, and Sophos' Active Adversary Reports.
The numbers, briefly
- Statistics Canada CSCSC (released October 2024): 16% of Canadian businesses were impacted by cyber-security incidents in 2023 — down from 18% in 2021 and 21% in 2019.
- CIRA 2024 Cybersecurity Survey: 44% of Canadian organisations experienced a cyber attack (attempted or successful) in the past 12 months. 28% reported a successful ransomware attack — up from 17% in 2021.
- Of CIRA's ransomware victims: 79% paid the demand; 73% had data exfiltrated; typical ransom cost was at least $25,000.
- Sophos 2025 Active Adversary Report (2024 data): Akira was the most-encountered ransomware group, followed by Fog and LockBit. Median dwell time across all cases dropped to 2 days.
What is changed since 2022
1. The attack chain has compressed
In Sophos' 2025 Active Adversary Report, attackers reach Active Directory in a median of 11 hours after initial access. The "we will find them on Monday morning" detection model no longer works. By Monday morning, encryption has already happened.
2. They log in, they do not break in
The 2025 Sophos Active Adversary Report headline: in 56% of MDR and IR cases, adversaries used valid accounts to gain initial access — they logged in instead of breaking in. Compromised credentials were the #1 root cause for the second year running (41% of cases), followed by exploited vulnerabilities (21.79%) and brute force (21.07%).
3. Double extortion is the default
73% of CIRA's ransomware victims had data exfiltrated. Modern ransomware crews exfiltrate first, encrypt second, and demand payment for the decryption key plus a separate payment to delete the stolen data. A pristine backup gets you operational; it does not stop the data-leak threat.
4. SMBs are the primary target
Big enterprise has hardened. Per CIRA's 2024 survey, public-sector and MUSH (municipalities, universities, schools, hospitals) sectors saw the highest rates of attempted attacks (58% and 55%), but private-sector rates remain at 41% and rising. The 25-person law firm is squarely in scope.
The playbook, today
A typical 2025 ransomware incident against a Canadian SMB looks like this:
- Initial access: phishing email with a credential-harvesting page, OR exploitation of an unpatched VPN/firewall, OR purchased credentials from an Initial Access Broker.
- Privilege escalation: attacker uses the credentials to reach domain admin, often within hours.
- Discovery and exfiltration: file shares mapped, sensitive data identified, 50–500 GB exfiltrated to attacker-controlled cloud storage.
- Backup destruction: attacker locates and deletes online backups before encryption begins. This is why immutability matters.
- Encryption: typically Friday evening or before a long weekend — Sophos found 83% of payloads dropped outside business hours.
- Extortion: ransom demand, plus a leak-site countdown for the exfiltrated data.
What actually works
1. MFA, everywhere, no exceptions
Microsoft's public telemetry has consistently shown MFA blocks over 99% of automated credential attacks. With 41% of Sophos' analysed cases caused by compromised credentials, MFA is the single highest-impact control available. Spend the first budget dollar here.
2. EDR with 24/7 monitoring (MDR)
The compressed attack chain means you cannot catch up Monday morning. EDR detects behaviourally; MDR ensures someone is watching at 2 AM Saturday. Per Sophos, MDR cases have median dwell times of 1 day for non-ransomware (vs. 11.5 days in IR-only cases).
3. Immutable backups
3-2-1-1: three copies, two media, one off-site, one immutable. Object-lock cloud storage or hardened on-prem repositories. The attacker with full domain admin still cannot delete or overwrite the immutable copy.
4. Patch internet-facing systems aggressively
Sophos' 2025 Active Adversary Report flags external remote services (firewalls, VPNs) as the dominant initial-access vector. The case studies highlight one company breached three times in 14 months via a vulnerable FortiGate VPN running 14-year-old firmware. Treat critical CVEs on internet-facing systems as same-week.
5. Email gateway in front of M365
EOP/Defender catches the obvious. A dedicated gateway closes the gap on AI-generated, payload-less social engineering. With DMARC enforcement, you also stop attackers from sending spoofed mail as you to your customers.
6. A tested incident-response runbook
83% of CIRA-surveyed organisations have an IR plan; 67% have used it in the last 12 months. Documentation alone is not enough — drill it.
The most effective dollar in 2025 SMB cybersecurity is spent on the boring controls: MFA, EDR+MDR, immutable backup, patching, email gateway, written IR plan. None of it is exciting. All of it works.
How 4UIT approaches this
We deploy the controls above as a stack — MFA, Sophos Intercept X EDR, Sophos MDR, immutable backup with monthly restore drills, monthly patching with same-week critical-CVE handling, email gateway. For most Ottawa SMBs the all-in cost is meaningfully less than a single ransomware incident's self-insurance. Take a brief to talk specifics.
Sources: CIRA 2024 Cybersecurity Survey · CIRA 2025 Cybersecurity Survey · Statistics Canada CSCSC 2023 · Sophos 2025 Active Adversary Report.
// Frequently asked questions
How many Canadian businesses are hit by ransomware?
Per CIRA's 2024 Cybersecurity Survey, 44% of Canadian organisations experienced a cyber attack in the past 12 months. 28% of cyber-security decision-makers reported their organisation had been the victim of a successful ransomware attack — up from 17% in 2021. Of those, 79% paid the ransom; 73% had data exfiltrated.
How fast does a ransomware attack now unfold?
Per Sophos' 2025 Active Adversary Report, attackers reach Active Directory in a median of 11 hours after initial access. Median dwell time across all 2024 cases was just 2 days, and 83% of ransomware payloads were dropped outside business hours — meaning automated attacks frequently complete overnight before any business-hours team can respond.
What is the most common entry point for ransomware?
Per Sophos' 2025 Active Adversary Report (analysing 2024 cases), 56% of attackers gained initial access by exploiting external remote services and using valid accounts — meaning they logged in rather than broke in. Compromised credentials were the #1 root cause for the second year running, at 41% of cases.
Does paying the ransom recover the data?
Sometimes; not reliably. CIRA's 2024 Cybersecurity Survey reported that 79% of Canadian ransomware victims paid the demand, with typical costs of at least $25,000. But 73% had data exfiltrated, meaning even successful decryption does not stop the data-leak threat. Modern ransomware is double-extortion by default.
What single control reduces ransomware risk the most?
Multi-factor authentication. With Sophos' 2025 Active Adversary Report finding compromised credentials caused 41% of incidents, MFA is the highest-leverage control. Microsoft's public telemetry has consistently shown MFA blocks over 99% of automated credential attacks. Highest-impact, lowest-cost control available.