By Esteban Sardanyés on Mar 30, 2026 10:00:00 AM
The 2024–2025 period has consolidated ransomware as one of the most critical and high-impact cyberattacks for businesses worldwide. Its relevance is reflected not only in the volume of incidents, but also in its ability to cause significant operational disruptions and substantial financial losses.
Attacks have evolved from relatively homogeneous mass campaigns to highly targeted, customized, and automated operations, supported by artificial intelligence and Ransomware-as-a-Service (RaaS) models. This has increased their sophistication and rendered traditional defense approaches insufficient.
Situation in Spain and Recent Trends
Spain remains among the countries most affected by ransomware, both in terms of the number of attacks and their complexity. Between 2024 and 2025, incidents increased significantly, far exceeding the European average and reflecting a shift toward more targeted and strategic operations.
- It ranks 2nd globally in ransomware detections, accounting for nearly 5% of the global total.
- Between 2024 and 2025, attacks increased from 62 to 134, a year-over-year growth of over 116%, well above the European average.
- It is among the top 15 most targeted countries, representing approximately 2% of all global attacks.
This increase reflects a qualitative shift: cybercriminals are prioritizing data-driven extortion over traditional encryption, driving double and triple extortion strategies. Data leaks increased by 70%, with exfiltration volumes rising by 92% compared to the previous year.
Artificial Intelligence and Ransomware
AI is already part of the most sophisticated attacks, enhancing automation and precision. Today, attacks not only encrypt systems, but also identify critical data and maximize economic and operational impact.
- 1 in 6 breaches involved AI, mainly in advanced phishing (37%) and deepfakes (35%).
- The first ransomware with local generative AI (gpt-oss:20b) was capable of generating dynamic scripts, deciding which data to encrypt or exfiltrate, and operating across Windows, Linux, and macOS, enabling highly targeted and pure extortion attacks.
Economic and Operational Impact
Ransomware continues to generate significant losses, both from ransom payments and from recovery costs and business disruption.
- Average global ransom payment: $1 million in 2025, following a peak of $2 million in 2024.
- Average recovery cost per incident: $2.73 million in 2024, with improved recovery times in 2025 (53% of incidents are resolved within ≤1 week).
- Average global breach cost: $4.44 million in 2025, with ransomware/extortion incidents exceeding $5.08 million.
Spanish Landscape
According to INCIBE, 97,348 incidents were handled in 2024, of which 357 were ransomware-related. The most affected sectors were manufacturing, technology, healthcare, retail, and finance, while among essential operators, transportation (24.6%) and the financial-tax system (23.8%) stand out.
Ransomware in Spain highlights the need for advanced prevention strategies, robust backups, continuous monitoring, and rapid response plans, as well as collaboration with cybersecurity specialists to reduce exposure and ensure business continuity.
Want to learn more?
At ESED, we have developed a detailed report: Ransomware Cyberattacks Summary 2025. It provides a comprehensive analysis with data and specific defense strategies for businesses, covering the state of ransomware attacks both globally and in Spain. Download the full report in the banner below.
Summary: Overview and evolution of phishing 2024–2025
Summary: Overview of cyberattacks 2024-2025
.png?width=262&height=150&name=accio-10-negre%20(1).png)
