Ransomware payments have seen a significant decline, dropping 33% from approximately $1.1 billion in 2023 to $734 million in the following year, according to a report from the Financial Crimes Enforcement Network. Despite this decrease, the number of ransomware attacks remains largely unchanged, with 1,476 incidents reported last year, a slight decrease of just 2% from 2023. Manufacturing, financial services, and healthcare sectors were the hardest hit, accounting for hundreds of incidents and substantial financial losses. The report identified 267 unique ransomware variants between 2022 and 2024, with the ALPHV/BlackCat variant being the most frequently reported. While the drop in payments is encouraging, experts caution that it is premature to declare a long-term trend in the fight against ransomware.
Researchers at Huntress have reported a staggering 700 percent increase in ransomware attacks targeting hypervisors. According to the security software vendor, the share of these attacks rose from just three percent in the first half of the year to 25 percent in the latter half, primarily driven by the Akira ransomware group. The report highlights that attackers are increasingly exploiting hypervisors, which are often poorly defended, to bypass traditional endpoint and network security measures.
Why do we care?
Here’s the trap everyone’s about to fall into.
They’ll see the payment numbers and say, “Good news — ransomware is declining.” And that’s exactly when they’ll get hit.
Attackers aren’t leaving the field. They’re moving upstream. Hypervisors are attractive because they undo years of incremental security investment in one move. EDR doesn’t help you when the host itself is owned. Network segmentation doesn’t matter if everything runs on the same compromised layer. And payments are down partly because victims are less able to pay, not because attackers are less effective — which means attackers must increase impact per incident.
And here’s the uncomfortable MSP reality: a hypervisor breach looks like your architecture decision, not the client’s mistake.
This matters now because many MSPs optimized for efficiency — shared hosts, centralized management, standardized stacks — without recalibrating for adversaries who understand that math.
The conversation can’t be “we stopped the ransom.” It has to be “how fast can we recover when the foundation collapses?”
The providers who survive the next phase aren’t the ones with the best detection stories. They’re the ones who planned for catastrophic but plausible failure — and priced their services accordingly.
That’s not fear-mongering. That’s reading the incentive structure of the attackers — and realizing it just changed.