2025年勒索软件状况调查报告

Organizations overestimate theirransomware readiness in the face of Table of Executive Summary3 Top Three Takeaways4 Ransomware Reality Check6 The AI Arms Race10 The Economics of Ransomware: When Payments Don't Pay Off13 Building True Ransomware Readiness17 Conclusion19 Appendix: Survey Methodology20 Executive Summary Artificial intelligence has redefined the ransomware battlefield as adversaries explore newAI-driven methods and hone their techniques. Many organizations think they are prepared to CrowdStrike surveyed 1,100 IT and cybersecurity decision-makers across Australia, France,Germany, India, Singapore, United Kingdom, and United States to ask how they assess theirransomware readiness and navigate the evolving ransomware landscape, including the emergence Of the organizations surveyed, 78% reported experiencing a ransomware attack within the pastyear. Of those, half believed they were “very well prepared” for ransomware, but fewer than a This is the confidence illusion: Organizations overestimate their ransomware preparedness asadversaries become more sophisticated in their use of AI-powered tactics. The threat landscape The findings reveal clear security gaps. As adversaries harness the power of AI advancements andrun their operations like an enterprise business, organizations should be aware that the confidencethey have in their ransomware readiness may not match their actual security posture. Those Top 3 Most organizations are not as ready as they think. Despite perceived preparedness, 78% of respondents were hit byransomware in the preceding 12 months. Only 22% of victims that felt“well-prepared” beforehand recovered within 24 hours, and just 38% The AI arms race favors speed. Attackers are winning. As adversaries automate intrusion and social engineering, defendersstruggle to keep pace: 76% of respondents said it’s getting harderto be fully prepared, and nearly half fear that they can’t detect or 3Ransom payments aren’t paying off.Payment offers no safety net: 83% of paying victims were attackedagain, and 93% had data stolen anyway. Backups proved unreliable RansomwareReality Check Report a growing disconnectbetween how leadership perceivestheir ransomware readiness and The Leadership Disconnect A staggering 76% of organizations report a growing disconnect betweenhow leadership and the security team perceive their ransomware readiness. More than half (54%) of board members and C-level executives believetheir organizations are “very prepared” to face ransomware, compared to46% of security teams. This disparity is particularly concerning because The disconnect hampers effective security investment. When leadershipoverestimates capabilities, they may resist requests for additional securityresources or fail to prioritize critical improvements. Building readiness Regional Variations in Preparedness In the United States, the largest survey base, 51% ofrespondents believed they were very well prepared for a European organizations show a different pattern: Though theywere less likely to rate themselves as “very prepared,” theyachieved faster recovery times overall. U.K. organizations ledrecovery performance, with 35% recovering within 24 hours,despite only 47% rating themselves as very prepared. Among This conservative self-assessment contrasts sharply withboth the United States and Singapore. In Singapore, 58%of respondents believed they were very well prepared, but Readiness Across Sectors Certain industries show concerning gaps between confidence and capability: Public sector organizations,where 60% of respondents said they are very well prepared, demonstrate the poorest recoveryperformance. Only 12% recovered within 24 hours, and 42% suffered significant disruption. This disconnect is troubling given Manufacturing and production organizationssimilarly show high confidence, with 58% saying they are very well prepared,but they also had poor recovery performance: 12% recovered in the same day, and 40% had significant disruption. The Common Ransomware Attack Vectors Phishing was cited by 45% of victims as the initial point of compromise, making it the leadingaccess vector for ransomware. Despite 92% of organizations believing their employees are well Reported a phishing emailallowed the attackeraccess during their latest Other frequently cited entry points include vulnerability exploits (40%), supply chain compromise(35%), compromised credentials (33%), malicious downloads (32%), misuse of remote monitoringand management (RMM) tools (31%), and insider threats (27%). Though human error is the most Adversaries are increasingly exploiting RMM tools such as RDP and AnyDesk to gain covert access,maintain persistence, and deploy ransomware without raising immediate suspicion. Nearly one inthree organizations (31%) that suffered a ransomware attack reported RMM tools as the attacker’s Have seen a measurableincrease in phishingand/or credential theftincidents they suspec