How We Measure. What We Claim.

Elastio publishes three numbers: 48,000+ ransomware threats stopped, 4,000+ malware artifacts intercepted, and zero ransoms paid. This page explains what each number means, how it is counted, and what it does not include.

The Numbers

What each number represents

Each entry covers: what counts, what does not count, and what the number does not claim.

48,000+Ransomware threats stopped
What counts

Distinct ransomware artifacts detected by the Hunt Engine across all customer environments, calendar year 2025. A detection is logged when any model in the ensemble exceeds the confidence threshold.

What does not count

The same artifact found across multiple snapshots of the same source asset. Deduplication key: source asset + artifact hash. One payload across 30 snapshots counts as one detection.

Context

'Stopped' means detected before recovery was attempted from that data. The threat was identified and the recovery point flagged before it could be restored into a production environment.

4,000+Malware artifacts intercepted
What counts

Distinct non-ransomware malware artifacts found inside backup data, cloud storage, and replicated volumes. Includes trojans, backdoors, rootkits, and cryptominers. Reported separately because detection outcomes differ from ransomware.

What does not count

Ransomware artifacts, which are counted above. Duplicates across snapshots of the same source asset.

Context

These artifacts were undetected by endpoint protection and backup vendor scanning. They had survived replication cycles and backup rotations. Without detection at the data layer, they would have been restored into a production environment during recovery.

ZeroRansoms paid
What counts

Direct operational record from customer engagements and IR support. In every ransomware event where Elastio was running, the Hunt Engine had already identified the last known clean recovery point before detonation.

What does not count

A claim that Elastio customers were never targeted. Several were. This records recovery outcome only.

Context

Elastio provides IR support as part of every subscription. Records are maintained for every incident where Elastio data was used in a recovery decision. This number will be updated immediately if it ceases to be true.

Limitations

What these numbers do not claim

Security vendor numbers should be interrogated. Here is where ours stop.

We do not claim 100% detection

No detection system does. Models are updated continuously as new ransomware families emerge. The ensemble is not static.

We do not claim to prevent ransomware from entering environments

The Hunt Engine operates on data at rest. Prevention belongs to EDR, firewalls, and identity controls. Elastio's role begins when those controls fail.

We do not inflate with duplicate detections

Industry vendors often count the same threat found across multiple locations or time periods as separate incidents. Elastio deduplicates by source asset and artifact hash. These numbers are conservative.

Methodology changes will be disclosed

Numbers are updated annually. If the methodology changes, Elastio will disclose the change and restate prior numbers under the new methodology.

Elastio

See the full 2025 Threat Report

Threat actor profiles, attack trends, and a quarterly incident timeline. Reach us at galigiannis@elastio.com.

2025 Threat ReportAll Research