Emerging countries in Middle-East, APAC and Africa draw more targeted ransomware attacks as they invest progressively on automation, with large scale deployments of IT and OT assets
As the International Anti-Ransomware Day draws closer, Kaspersky has come out with its annual report on the evolving global and regional ransomware cyberthreat landscape. According to the Kaspersky State of Ransomware Report 2025, the Middle-East, Asia-Pacific (APAC) and African regions are leading by the share of users attacked by ransomware, with Latin America, CIS (commonwealth of independent states) and Europe trailing behind.
In the Middle-East and APAC regions, ransomware affected a higher share of users due to rapid digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity. Enterprises in APAC were heavily targeted, driven by attacks on IT infrastructure and operational technology (OT), especially in countries with growing economies and new data privacy laws.
Ransomware is less prevalent in Africa due to lower levels of digitization and economic constraints, which reduce the number of high-value targets. However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are on the rise, particularly in the manufacturing, financial and government sectors. Limited cybersecurity awareness and resources leave many organizations vulnerable, though the smaller attack surface means the region remains behind global hotspots.
Latin America also experiences ransomware attacks, particularly in Brazil, Argentina, Chile and Mexico. Manufacturing, government, and agriculture, as well as critical sectors such as energy and retail are targeted, but economic constraints and smaller ransoms deter some attackers. Despite this, the region’s growing digital adoption is increasing exposure.
The towering reality on ransomware inflictions globally
The Commonwealth of Independent States sees a smaller share of users encountering ransomware attacks. However, hacktivist groups such as Head Mare, Twelve and others active in the region often use ransomware such as LockBit 3.0 to inflict damage on target organizations. Manufacturing, government and retail sectors are the most targeted, with varying levels of cybersecurity maturity across the region affecting security.
Europe is consistently targeted with ransomware but benefits from robust cybersecurity frameworks and regulations that deter some attackers. Sectors such as manufacturing, agriculture, and education are often targeted, but mature incident response and awareness limit the scale of attacks. The region’s diversified economies and strong defenses make it less of a focal point for ransomware groups than regions with rapid, less secure digital growth.
“Ransomware is one of the most pressing cybersecurity threats facing organizations today, with attackers targeting businesses of all sizes and across every region. In our report we highlight that there is a concerning shift toward exploiting overlooked entry points – including IoT devices, smart appliances, and misconfigured or outdated workplace hardware. These weak spots often go unmonitored, making them prime targets for cybercriminals. To stay secure, organizations need a layered defense – up-to-date systems, network segmentation, real-time monitoring, robust backups, and continuous user education. Building cyber awareness at every level is just as important as investing in the right technology,” opines Dmitry Galov, Head of Research Center for Russia & CIS at Kaspersky’s GReAT.
Emerging ransomware trends
This is a quite glaring reality that AI (artificial intelligence) tools were increasingly used in ransomware development, as demonstrated by FunkSec, a ransomware group that emerged in late 2024 and quickly gained notoriety by surpassing established groups like Cl0p and RansomHub with multiple victims claimed in December alone. Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics – combining data encryption with exfiltration – targeting sectors such as government, technology, finance, and education in Europe and Asia.
The group’s heavy reliance on AI-assisted tools sets it apart, with its ransomware featuring AI-generated code, complete with flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection. Unlike typical ransomware groups demanding millions, FunkSec adopts a high-volume, low-cost approach with unusually low ransom demands, further highlighting its innovative use of AI to streamline operations.
The RaaS (Ransomware-as-a-Service) model remains the predominant framework for ransomware attacks, fueling their proliferation by lowering the technical barrier for cybercriminals. In 2024, RaaS platforms like RansomHub thrived by offering malware, technical support and affiliate programs that split the ransom. This model enables less-skilled actors to execute sophisticated attacks, contributing to the emergence of multiple new ransomware groups in 2024 alone.
In 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities, as demonstrated by the Akira gang’s use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalizing on the expanding attack surface created by interconnected systems. As organizations strengthen traditional defenses, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time.
The proliferation of LLMs (large language models) tailored for cybercrime will further amplify ransomware’s reach and impact. LLMs marketed on the dark web lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less skilled actors to craft highly convincing lures or automate ransomware deployment.
As more innovative concepts such as RPA (Robotic Process Automation) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are quickly adopted by software developers, we can expect ransomware developers to use these tools to automate their attacks as well as new code development, making the threat of ransomware even more prevalent.
The panacea: Courtesy by Kaspersky
Kaspersky encourages organizations to follow these best practices to safeguard from ransomware:
• Enable ransomware protection for all endpoints.
• Always keep software updated on all the devices one uses to prevent attackers from exploiting vulnerabilities and infiltrating your network.
• Focus on defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
• Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC (security operations centre) team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.
• Use the latest Threat Intelligence information to stay aware of the actual tactics, techniques, and procedures (TTPs) used by threat actors.
• To protect the company against a wide range of threats, use solutions that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry.
Qaisar
