Ransomware spreads faster, not smarter

The fall of two of the most dominant ransomware syndicates, LockBit and AlphV, triggered a power vacuum across the cybercriminal landscape, acccording to a Black Kite survey.

In their place, dozens of new actors emerged, many of them lacking the infrastructure, discipline, or credibility of their predecessors. The result was a surge in attack volume, a decline in coordination, and growing unpredictability in how, where, and why attacks occur.

Ransomware landscape shift

The number of publicly disclosed ransomware victims reached 6,046 in 2025, marking a 24% increase compared to 4,893 in the previous year. This represents a significant rise from 2023, when the figure stood at 2,708—more than doubling over the span of just two years.

The number of ransomware groups making public disclosures rose from 61 in 2023 to 96 in 2025.

Monthly victim disclosures fluctuated throughout the year but remained consistently high, with only two months seeing a drop below 400 incidents. The most active period was February 2025, which saw a 817 victims, largely driven by Cl0p’s mass exploitation of Cleo vulnerabilities.

The United States continues to be ransomware’s most targeted geography—by a wide margin. This year, 3,141 US-based organizations were publicly named as victims, up from 2,293 the year before. That’s a 37% increase year over year, and it accounts for 54% of all known global ransomware disclosures.

Ransomware actors didn’t just go after large targets, they went after strategic ones. For the second consecutive year, the top three most targeted industries were manufacturing (1,314 victims), professional, scientific, and technical services (1,040 victims), and healthcare and social assistance (434 victims).

Ransomware groups are no longer just targeting “big game”. While headlines continue to spotlight attacks on large enterprises, the data tells a different story: SMBs have become the core targets.

This year, only 11% of the known ransomware victims had an annual revenue over $100 million, a notable drop from 26% the previous year. For companies with revenue over $1 billion, the decline is just as sharp: from 8% in 2024 to 3.2% in 2025. This strategy also aligns with a broader pattern: avoiding targets that escalate consequences.

Most victims now refuse to pay ransom

In 2024, the average ransom demand rose to $4.32 million, and the highest known demand reached $70 million.

According to multiple industry sources, average ransom payments fell by as much as 35%, and fewer victims are paying. Coveware reports that just 25% of organizations paid a ransom, and among those hit with data exfiltration-only attacks, 41% paid, still far from a majority.

Without the polished negotiation portals and “customer service” tactics of legacy players, smaller, less sophisticated operators skip the negotiation phase entirely, demanding what they can and hoping to get anything at all.

Ransomware becomes primary attack vector in third-party breaches

Ransomware was the most common known attack vector in third-party breaches, accounting for 66.7% of all analyzed incidents with clear attribution. These attacks are rarely isolated. One breach spreads through Nth-party connections, causing delays, inventory disruptions, and patient care issues across the ecosystem.

What once resembled a corporate structure is now a chaotic market. The Ransomware-as-a-Service (RaaS) model, previously centralized and selective, has unraveled into an open bazaar. Pre-packaged kits are now available for purchase, allowing even low-skill actors to launch attacks with minimal effort.

RansomHub closed out 2024 at the top, disclosing 736 victims. With strong operational discipline and stable leadership, it quickly filled the void left by LockBit and AlphV.

The ransomware landscape is particularly vulnerable to AI’s influence, enabling attackers to design more convincing schemes and execute more efficient operations. Al can also power target selection, analyzing vast amounts of data to pinpoint the most vulnerable and profitable victims.