Average ransom demands climb to $3.5M as Middle East emerges as a key target for advanced ransomware campaigns
Ransomware has entered a new phase of evolution, and enterprises in the Middle East are at the center of its escalating threat landscape. According to Halcyon’s Ransomware Malicious Quartile Q2-2025, the average ransom demand has surged to $3.5 million, with nearly half of victims paying under pressure, despite negotiations. Energy, government, and financial sectors in the Gulf have become prime targets, underscoring the region’s growing vulnerability.
“Ransomware has evolved into a systemic risk — attackers are moving faster and smarter.”
— Ray Kafity, VP, India, Middle East, Turkey & Africa, Halcyon
Halcyon’s research identifies four key tactical shifts shaping ransomware in Q2 2025:
- BYOVD Security Bypass – Groups like DragonForce exploit old, vulnerable drivers to disable kernel-level defenses, neutralizing endpoint security tools.
- VMware ESXi Attacks – Custom payloads from gangs such as Qilin and Medusa strike virtualization platforms, crippling entire data centers in one move.
- Remote “Living-off-the-Land” Abuse – Attackers weaponize Remote Monitoring and Management (RMM) tools, blending with legitimate traffic to evade detection.
- Credential Harvesting at Scale – Groups including Akira and DevMan scoop up thousands of saved browser credentials, enabling rapid lateral movement.
“The findings make one thing clear: ransomware has evolved into a systemic risk,” said Ray Kafity, VP, India, Middle East, Turkey & Africa, Halcyon. “No organization can rely solely on traditional cyber defense tools. Resilience, not prevention alone, is now the defining factor for survival.”
As ransomware operators refine their playbooks, security leaders face a pressing reality: the battle is no longer just about blocking intrusions — it is about sustaining resilience against inevitable breaches.
