Major Ransomware Trends and High-Profile Attacks in 2025
Ransomware activity surged in 2025 despite significant law enforcement actions against major ransomware-as-a-service (RaaS) groups, with new groups quickly filling the void and victim numbers reaching record highs. Data from RansomLook.io and Ransomware.live showed a sharp increase in claimed ransomware victims, with global numbers rising from approximately 5,400 in 2023 to over 8,000 in 2025. Attackers increasingly relied on social engineering rather than technical exploits, and the impact of ransomware was felt across all sectors, including retail, education, government, and healthcare. Notable incidents included coordinated campaigns against major UK retailers and disruptive attacks on organizations such as Coupang, University of Phoenix, and the NHS’s technology provider DXC Technology.
The year’s most significant attacks demonstrated the systemic and cross-sector nature of modern cyber risk, with attackers exploiting third-party dependencies and identity weaknesses to maximize disruption. High-profile breaches led to operational outages, data exposure, and substantial financial and reputational damage, as seen in the case of Marks & Spencer, which suffered a dramatic drop in profits following a ransomware campaign attributed to the Scattered Spider group. These incidents have prompted organizations to reassess their incident response strategies, invest in ransomware readiness, and strengthen supply chain security as they prepare for evolving threats in 2026.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Social engineering becomes a primary ransomware access vector
By 2025, reporting emphasized that social engineering had overtaken technical exploitation as a leading initial access method in ransomware operations. Attackers increasingly used tactics such as phone-based credential theft to compromise organizations.
UNFI attack disrupts food supply chain operations
UNFI was reported as suffering a cyber incident in 2025 that disrupted food supply chain operations. The case illustrated how attacks on critical logistics and distribution providers can create broad downstream effects.
Iran's Bank Sepah data theft attributed to Codebreakers
Bank Sepah in Iran suffered a mass record theft in 2025 that was attributed to a group identified as Codebreakers. The incident was included among the year's major high-impact cyber events.
Allianz Life suffers third-party CRM data exposure
In 2025, Allianz Life was identified as affected by a third-party CRM-related exposure. The incident was cited as another example of the growing risk from external service providers and SaaS dependencies.
SalesLoft-Salesforce OAuth supply-chain breach exposes customer data
A large-scale 2025 supply-chain incident involving SalesLoft OAuth integrations with Salesforce enabled access to multiple customer environments. The breach exposed millions of records at TransUnion and was linked to ShinyHunters, with overlaps to Scattered Spider activity.
St. Paul ransomware attack triggers emergency response
A ransomware attack on St. Paul, Minnesota in 2025 led to a state of emergency. The response required federal assistance and support from the National Guard's cyber capabilities.
Collins Aerospace vMUSE attack disrupts 20+ European airports
A ransomware compromise of Collins Aerospace's vMUSE airport platform disrupted operations at more than 20 European airports in 2025. The incident underscored the operational risk posed by attacks on shared aviation technology providers.
Jaguar Land Rover breached in supply-chain ransomware attack
A high-impact attack in 2025 affected Jaguar Land Rover and was attributed to the loosely affiliated Scattered Lapsus$ Hunters collective. Reporting described the incident as a supply-chain-driven ransomware event that caused significant economic damage.
Scattered Spider-linked attacks hit UK retailers including Marks & Spencer
Integrity360 reported coordinated ransomware activity against UK retailers in 2025, including Marks & Spencer, and linked it to Scattered Spider. The attacks highlighted the role of third-party access and software weaknesses in enabling disruption.
Law enforcement disrupts several major ransomware groups in 2025
During 2025, authorities carried out arrests and takedowns targeting major ransomware operations. Groups including RansomHub, 8Base, and Hunters International were reported to have ceased operations, often under law enforcement pressure.
Ransomware victim counts rise sharply from 2023 to 2025
Data cited from RansomLook.io and Ransomware.live showed claimed ransomware victims increased by roughly 53% to 63% between 2023 and 2025. The number of active ransomware groups also grew over the same period, indicating a broader expansion of the ecosystem.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
The State of Ransomware in the U.S.: Report and Statistics 2025
emsisoft.com
Open sourceDec 2025: Biggest Cyber Attacks, Ransomware Attacks and Data Breaches
cm-alliance.com
Open sourceThe biggest cyber attacks of 2025 and what they mean for 2026
insights.integrity360.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Global Surge in Ransomware Attacks and Their Impact on Organizations
Ransomware attacks have reached unprecedented levels globally, with the third quarter of 2025 witnessing a 36% year-over-year increase in publicly disclosed incidents, according to BlackFog’s latest report. The total number of ransomware attacks reported in this period climbed to 270, marking a 335% rise since Q3 2020. These attacks have caused significant operational disruptions across various sectors, including airlines, automotive manufacturers, governments, and organizations in 93 countries. Notable incidents include grounded aircraft, stranded passengers, and manufacturers such as Jaguar Land Rover being forced to halt production, with some operations only recently resuming after prolonged outages. The impact of ransomware extends beyond large enterprises, severely affecting small businesses that often lack the resources and security infrastructure to defend against such threats. Many small business owners have reported devastating financial consequences, with some losing nearly all their savings and seeing their businesses shrink dramatically. The attack on the UK nursery chain Kido in September 2025 highlighted the evolving tactics of ransomware groups, as sensitive data on children, parents, and carers was exfiltrated, raising concerns about the targeting of vulnerable sectors. Ransomware operators are increasingly indiscriminate, targeting organizations of all sizes and types, and seeking leverage through data theft and extortion. The psychological and financial toll on victims is profound, with individuals and organizations facing long-term recovery challenges. Research indicates that small businesses are particularly vulnerable, often lacking dedicated IT security staff, legal support, or sufficient cash reserves to weather the aftermath of an attack. The stress and adversity experienced by victims underscore the need for robust data protection and incident response strategies. Experts emphasize that the best defense is to make it as difficult as possible for cybercriminals to succeed, focusing on data protection to reduce the incentive for extortion. The continued upward trend in ransomware volumes signals an urgent need for organizations to reassess their security postures and invest in preventive measures. The widespread and lasting impact of these attacks demonstrates that ransomware remains one of the most significant threats to global business continuity and data security. Organizations are urged to prioritize anti-data exfiltration technologies and comprehensive incident response planning. The evolving threat landscape requires constant vigilance and adaptation to new attacker tactics. The experiences of both large enterprises and small businesses illustrate the far-reaching consequences of ransomware, from operational shutdowns to personal financial ruin. As attackers become more aggressive and sophisticated, the imperative for proactive defense and resilience has never been greater.
Mar 21, 2026
Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
May 11, 2026
Ransomware Threat Landscape and Ecosystem Evolution in 2025
Ransomware in 2025 has evolved into a highly organized and profit-driven cybercrime ecosystem, with threat actors leveraging Ransomware-as-a-Service (RaaS), initial access brokers, and advanced extortion strategies. Attack volumes have reached record highs, with over 4,700 confirmed incidents through September and a notable increase in targeting of critical infrastructure, healthcare, and manufacturing sectors. The landscape is now fragmented among more than 85 active groups, and while victim disclosures have increased, ransom payments have dropped significantly as organizations improve their resilience and recovery capabilities. Attackers are increasingly using supply-chain compromises, zero-day exploits, and living-off-the-land techniques, making ransomware a persistent and adaptive threat. The underground infrastructure supporting ransomware operations has also matured, with dark web forums like RAMP serving as central hubs for collaboration, recruitment, and intelligence sharing among major ransomware groups such as LockBit, DragonForce, and Medusa. These forums facilitate the rapid dissemination of new ransomware variants and operational tactics, contributing to the ecosystem's agility. Meanwhile, specific ransomware families like HardBit 4.0 continue to innovate, employing sophisticated techniques such as brute-forcing RDP/SMB services and using legacy malware like Neshta as droppers to evade detection and maintain persistence, underscoring the technical advancement and adaptability of modern ransomware campaigns.
Mar 21, 2026