Major Ransomware Trends and High-Profile Attacks in 2025
Ransomware activity surged in 2025 despite significant law enforcement actions against major ransomware-as-a-service (RaaS) groups, with new groups quickly filling the void and victim numbers reaching record highs. Data from RansomLook.io and Ransomware.live showed a sharp increase in claimed ransomware victims, with global numbers rising from approximately 5,400 in 2023 to over 8,000 in 2025. Attackers increasingly relied on social engineering rather than technical exploits, and the impact of ransomware was felt across all sectors, including retail, education, government, and healthcare. Notable incidents included coordinated campaigns against major UK retailers and disruptive attacks on organizations such as Coupang, University of Phoenix, and the NHS’s technology provider DXC Technology.
The year’s most significant attacks demonstrated the systemic and cross-sector nature of modern cyber risk, with attackers exploiting third-party dependencies and identity weaknesses to maximize disruption. High-profile breaches led to operational outages, data exposure, and substantial financial and reputational damage, as seen in the case of Marks & Spencer, which suffered a dramatic drop in profits following a ransomware campaign attributed to the Scattered Spider group. These incidents have prompted organizations to reassess their incident response strategies, invest in ransomware readiness, and strengthen supply chain security as they prepare for evolving threats in 2026.
Sources
Related Stories
Global Surge in Ransomware Attacks and Their Impact on Organizations
Ransomware attacks have reached unprecedented levels globally, with the third quarter of 2025 witnessing a 36% year-over-year increase in publicly disclosed incidents, according to BlackFog’s latest report. The total number of ransomware attacks reported in this period climbed to 270, marking a 335% rise since Q3 2020. These attacks have caused significant operational disruptions across various sectors, including airlines, automotive manufacturers, governments, and organizations in 93 countries. Notable incidents include grounded aircraft, stranded passengers, and manufacturers such as Jaguar Land Rover being forced to halt production, with some operations only recently resuming after prolonged outages. The impact of ransomware extends beyond large enterprises, severely affecting small businesses that often lack the resources and security infrastructure to defend against such threats. Many small business owners have reported devastating financial consequences, with some losing nearly all their savings and seeing their businesses shrink dramatically. The attack on the UK nursery chain Kido in September 2025 highlighted the evolving tactics of ransomware groups, as sensitive data on children, parents, and carers was exfiltrated, raising concerns about the targeting of vulnerable sectors. Ransomware operators are increasingly indiscriminate, targeting organizations of all sizes and types, and seeking leverage through data theft and extortion. The psychological and financial toll on victims is profound, with individuals and organizations facing long-term recovery challenges. Research indicates that small businesses are particularly vulnerable, often lacking dedicated IT security staff, legal support, or sufficient cash reserves to weather the aftermath of an attack. The stress and adversity experienced by victims underscore the need for robust data protection and incident response strategies. Experts emphasize that the best defense is to make it as difficult as possible for cybercriminals to succeed, focusing on data protection to reduce the incentive for extortion. The continued upward trend in ransomware volumes signals an urgent need for organizations to reassess their security postures and invest in preventive measures. The widespread and lasting impact of these attacks demonstrates that ransomware remains one of the most significant threats to global business continuity and data security. Organizations are urged to prioritize anti-data exfiltration technologies and comprehensive incident response planning. The evolving threat landscape requires constant vigilance and adaptation to new attacker tactics. The experiences of both large enterprises and small businesses illustrate the far-reaching consequences of ransomware, from operational shutdowns to personal financial ruin. As attackers become more aggressive and sophisticated, the imperative for proactive defense and resilience has never been greater.
5 months agoRansomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
2 months agoRansomware Threat Landscape and Ecosystem Evolution in 2025
Ransomware in 2025 has evolved into a highly organized and profit-driven cybercrime ecosystem, with threat actors leveraging Ransomware-as-a-Service (RaaS), initial access brokers, and advanced extortion strategies. Attack volumes have reached record highs, with over 4,700 confirmed incidents through September and a notable increase in targeting of critical infrastructure, healthcare, and manufacturing sectors. The landscape is now fragmented among more than 85 active groups, and while victim disclosures have increased, ransom payments have dropped significantly as organizations improve their resilience and recovery capabilities. Attackers are increasingly using supply-chain compromises, zero-day exploits, and living-off-the-land techniques, making ransomware a persistent and adaptive threat. The underground infrastructure supporting ransomware operations has also matured, with dark web forums like RAMP serving as central hubs for collaboration, recruitment, and intelligence sharing among major ransomware groups such as LockBit, DragonForce, and Medusa. These forums facilitate the rapid dissemination of new ransomware variants and operational tactics, contributing to the ecosystem's agility. Meanwhile, specific ransomware families like HardBit 4.0 continue to innovate, employing sophisticated techniques such as brute-forcing RDP/SMB services and using legacy malware like Neshta as droppers to evade detection and maintain persistence, underscoring the technical advancement and adaptability of modern ransomware campaigns.
2 months ago