Ransomware in 2025: A Year of Record Attacks, Rising Costs, and Expanding Threat Actors

April 14, 2026

If 2024 signaled that ransomware was becoming a systemic threat, 2025 confirmed it. Over the course of the year, ransomware evolved into one of the most disruptive forces in the cyber landscape, affecting thousands of organizations and costing billions of dollars in damages. What distinguishes 2025 is not just the scale of attacks, but the speed, accessibility, and industrialization of ransomware operations.

In this blog we will review ransomware attacks in 2025 and how they have evolved.

A Surge in Attacks and Victims

Estimates of global ransomware attacks in 2025 ranged between roughly 7,400 and more than 9,000 incidents, representing a sharp increase, at around 40–50 percent increase over the previous year. On average, attacks were occurring at an almost continuous pace worldwide, with hundreds of organizations falling victim each month.

Victim counts followed a similar trajectory. In some datasets, more than 7,000 organizations were publicly identified as ransomware victims, while others tracked thousands more unreported or undisclosed incidents. Growth rates in victim numbers exceeded 50 percent year over year, and the final quarter of 2025 alone saw record-breaking figures.

What stands out is not just the volume, but the breadth. Ransomware was no longer reserved for high-value, carefully selected targets. Instead, it became a high-frequency, opportunistic threat—impacting organizations across every sector and size.

Who Was Targeted

One of the characteristics of ransomware activity in 2025 was its focus on critical industries. Roughly half of all attacks targeted sectors that underpin modern economies, including manufacturing, healthcare, energy, transportation, and financial services. Manufacturing, in particular, emerged as the most frequently targeted industry, accounting for a significant share of global incidents.

When production lines halt, hospitals lose access to patient systems, or energy infrastructure is disrupted, the pressure to pay a ransom increases dramatically. Cybercriminals have become adept at identifying and exploiting this urgency.

At the same time, small and medium-sized businesses continued to bear a disproportionate share of attacks. With fewer resources to invest in cybersecurity and often relying on outdated systems, these organizations presented attractive, low-resistance targets. Ransomware groups no longer needed to focus exclusively on large enterprises to generate profit; scale alone could drive returns.

Geographically, the United States remained the epicenter of ransomware activity, accounting for roughly half of all recorded attacks. Thousands of incidents were reported across the country, with Europe as a whole, and Canada also experiencing notable increases. This concentration reflects both the density of high-value targets and the interconnected nature of global supply chains.

The Cost of Ransomware

While ransom payments themselves often make headlines, they represent only a fraction of the total economic impact. In 2025, global ransomware damages were estimated at tens of billions of dollars, with some projections placing the figure as high as $57 billion.

The average cost of a ransomware attack, including downtime, recovery, legal fees, and reputational damage hovered around $5 million. Even when companies chose not to pay the ransom, recovery costs alone frequently exceeded $1 million.

Furthermore, a single attack could also impact supply chains, disrupting thousands of dependent businesses. Industry analyses throughout 2025 consistently highlighted the systemic impact of ransomware events, particularly in manufacturing and industrial sectors.

Ransomware Tactics

The tactics used by ransomware groups in 2025 reflected a shift toward greater sophistication and efficiency. Double extortion became the standard model, with attackers not only encrypting data but also exfiltrating sensitive information and threatening to release it publicly. This ensured leverage even when victims had reliable backups.

In some cases, the data was not even encrypted with victims being extorted purely on the basis of the risk posed by having their data exposed. This approach reduced operational complexity while maintaining high pressure on victims.

Artificial intelligence also played an increasingly important role. AI-driven phishing campaigns enabled attackers to craft highly convincing, personalized messages at scale, dramatically improving success rates. Automation allowed cybercriminals to launch and adapt attacks more quickly than ever before, compressing timelines and overwhelming traditional defenses. There were also the beginnings of AI being used to develop ransomware or utilize it which has been observed in early 2026.

Underlying all of this was the continued growth of ransomware-as-a-service (RaaS) platforms. These ecosystems provided tools, infrastructure, and support to affiliates, allowing even relatively inexperienced actors to carry out sophisticated attacks. As a result, the number of active ransomware groups expanded significantly, with well over a hundred groups operating throughout the year. DarkOwl monitors these leak sites so organizations can monitor if any companies in their supply chain have been impacted.

The Most Active Ransomware Groups

In 2025, several groups stood out for their scale and impact. Qilin emerged as one of the fastest-growing ransomware-as-a-service operations, leveraging an affiliate model that enabled rapid expansion and a steady stream of attacks. Its accessibility made it particularly influential in lowering the barrier to entry for new cybercriminals.

Akira was another prominent group, targeting enterprises and critical infrastructure with a high volume of attacks.

RansomHub gained notoriety for sheer scale, reportedly linked to hundreds of victims across multiple sectors.

Meanwhile, Clop continued to execute large-scale campaigns, often exploiting vulnerabilities in widely used software to compromise multiple organizations simultaneously.

In addition to these established groups, 2025 saw the rise of more fluid, collaborative networks—sometimes described as “supergroups”—where actors shared tools, infrastructure, and intelligence. This blurred the lines between distinct organizations and made attribution more difficult.

Conclusion

Ransomware in 2025 was defined by scale, speed, and systemic impact. Attacks reached record levels; victims spanned every sector, and the financial consequences extended far beyond individual organizations. The rise of new groups, maturation of existing groups, and the evolution of attack methods underscored a fundamental shift: ransomware is no longer a niche cyber threat but a core challenge for modern economies.

As organizations look ahead, the lessons of 2025 are clear. Defending against ransomware will require not only stronger technical controls but also a deeper understanding of the threat ecosystem, greater resilience in critical systems, and a willingness to adapt to an adversary that continues to evolve.

Curious how DarkOwl tracks ransomware activity? Contact us.

Explore the Products

Button Product Vision
Vision UI ›
Button Product Search
Search API ›
Button Product Entity
Entity API ›
Button Product Score
DarkSonar API ›
Button Product Score
Score API ›
Button Ransomware API
Ransomware API ›
Button Product Datafeeds
Datafeeds ›

See why DarkOwl is the Leader in Darknet Data

Get a Demo
Get a Demo

Products

Services

Use Cases

Company

Copyright © 2026 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.