Home > Security > Security News

Ransomware Attacks Surged 58% in 2025, New Report Finds

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Ransomware Actor
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Unprecedented Growth: Observed ransomware victims increased by 58% year-over-year in 2025, with a record-breaking 124 distinct threat groups tracked.
  • Dominant Threat Groups: Qilin and Akira emerged as the most prolific ransomware groups, filling the void left by the disruption of former leaders like LockBit and Alphv.
  • Most Impacted Sectors: The Manufacturing industry was the most targeted sector, accounting for 14% of all observed victims, followed by technology, retail, and healthcare.

A new report on 2026 ransomware trends reveals a dramatic escalation in cyber extortion activity, with the number of publicly posted victims surging by 58% year-over-year in 2025. The GRIT 2026 Ransomware & Cyber Threat Report documents a record 7,515 victims claimed by 124 distinct threat groups, indicating a significant expansion and adaptation of this ecosystem. 

Despite law enforcement disruptions in 2024, former mid-tier groups such as Qilin and Akira have risen to prominence, absorbing affiliates and increasing their operational tempo to become the year's most impactful attackers. Q4 2025 shattered all previous records for the highest number of victims observed in a single quarter.

Analysis of Ransomware Industry Impact

The cyber threat report highlights that the manufacturing sector remains the primary target for ransomware gangs, with 1,060 publicly claimed victims. The technology, retail and wholesale, and healthcare industries also remained top targets, demonstrating their high value to attackers due to their operational sensitivity and the sensitive data they hold. 

2025 ransomware victims posted publicly | Source: GuidePoint Security
2025 ransomware victims posted publicly | Source: GuidePoint Security

The report said that the most impactful ransomware groups last year were:

GuidePoint assesses that Qilin’s growth in 2025 “was likely fueled in part by affiliates who migrated to Qilin” after the alleged April shutdown of former major RaaS player, RansomHub.

The report also notes a significant 132% year-over-year (YoY) increase in attacks targeting the legal industry, underscoring the growing risk to sectors that manage highly sensitive client information. Geographically, the United States remains the most affected nation, accounting for over 55% of all observed victims. 

Democratization of advanced techniques and the operationalization of artificial intelligence (AI) dominated the ransomware landscape, which was also marked by the widespread adoption of Bring Your Own Vulnerable Driver (BYOVD) attacks and the measured integration of AI into attack chains.

Key Vulnerabilities and Cybersecurity Insights

The most damaging campaigns in 2025 stemmed from the exploitation of zero-day and critical vulnerabilities in internet-facing enterprise software and perimeter devices. Established groups like Qilin and Akira demonstrated sophisticated capabilities by exploiting these flaws to gain initial access. 

The report also shows a dramatic 82.5% YoY increase in new vulnerabilities added to the Known Exploited Vulnerabilities (KEV) catalog in the first quarter of 2025. 

While law enforcement disruptions have reshaped the RaaS ecosystem, group fragmentation is driving new patterns of high-volume, repeatable operations, pushing overall activity to record-breaking levels,” said Jason Baker, Lead Threat Analyst at GuidePoint Security. 

Baker recommends that organizations focus on well-resourced defenders, proactive vulnerability management, and real-time threat intelligence for mitigating risk in the year ahead.

Last month, security researchers discovered that Shanya Packer-as-a-Service (VX Crypt) powers modern Akira, Qilin, and Medusa ransomware attacks. Among Qilin’s latest victim claims is the City of Santa Paula, which disrupted government services.

Add a Comment
Related
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Hacker - Phishing - Skull - Data
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
Most Popular
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Hacker - Phishing - Skull - Data
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API

Most Popular
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Hacker - Phishing - Skull - Data
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: