The number of ransomware incidents in 2025 rose substantially compared to 2024, marking a 45% increase in attacks. In 2025, 9,251 ransomware cases were exposed on the dark web. These represent the latest findings from NordStellar, a threat exposure management platform.
Ransomware attacks also reached their highest level in two years in the last quarter of 2025, with attackers exploiting end of year vulnerabilities. In particular, the number of ransomware cases rose significantly in the last quarter of 2025. December set a two year record, with a substantial 1,004 recorded incidents.
In terms of where these threats were directed, small and medium-sized manufacturers in the U.S. bore the brunt of the attacks, especially those operating in the general manufacturing industry as well as machinery manufacturers and companies operating in the appliances, electrical, and electronics manufacturing industry.
In terms of origins, the ransomware group Qilin carried out the most ransomware attacks in 2025, followed by Akira and Cl0p leaks.
“In the last quarter of 2025, ransomware groups deliberately exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring,” explains Vakaris Noreika, cybersecurity expert at NordStellar to Digital Journal. “However, there has been an upward trajectory the whole year. Ransomware actors are growing increasingly aggressive — given the surge in 2025, the number of ransomware incidents in 2026 is likely to exceed 12,000.”
According to Noreika, the number of ransomware groups has also been increasing. The recorded ransomware incidents in 2025 could be traced back to 134 different groups — a 30% increase from the 103 groups linked to recorded ransomware incidents in 2024.
SMBs in the US were affected the most
Companies in the U.S. remained the primary targets, with 3,255 recorded ransomware cases in 2025 (a 28% increase from 2,544 incidents in 2024), accounting for 64% of all cases. The US was followed by Canada with 352 cases (a 46% increase from 2024), then Germany with 270 cases (a 97% increase), the United Kingdom with 233 cases (a 2% increase), and France with 155 cases (a 46% increase).
Small and medium-sized businesses (SMBs) with up to 200 employees and revenues up to $25 million experienced the most ransomware attacks. This data aligns with the findings from 2024, which showed that SMBs accounted for the majority of incidents.
“SMBs are attractive targets for ransomware attacks because they often lack security staff and tools and operate within limited cybersecurity budgets — all of which are essential to safeguard their systems,” adds Noreika. “Smaller organizations are also more likely to rely on outdated software, have limited security monitoring, and rely on external vendors for IT support. Consequently, when attacked, they’re more likely to pay ransoms quickly to avoid business disruptions, which is why ransomware groups keep targeting them.”
The most-targeted ransomware-victim company profile in 2025
As in 2024, companies in the manufacturing industry continued to bear the brunt of ransomware attacks, with 1,156 incidents in 2025 (a 32% increase from the previous year), accounting for 19.3% of all cases (a 0.3% increase from 2024).
The manufacturing industry was followed by the IT industry, with 524 recorded cases (a 35% increase from 2024), professional, scientific, and technical services (494 incidents, a 30% increase), the construction industry (443 incidents, a 24% increase), and healthcare, with 339 attacks (a 6% decrease from 2024).
SMBs (those with up to 200 employees and $25M in revenue) operating in the general manufacturing industry were the most targeted. They were followed by other smaller businesses operating in the machinery manufacturing sector (10% of all attacks on the manufacturing industry), and SMBs operating in the appliances, electrical, and electronics manufacturing sector, accounting for 9.9% of all ransomware attacks on the manufacturing industry.
The ransomware group landscape: Qilin takes the lead
Data further reveals that the ransomware group Qilin carried out the most attacks in 2025, with 1,066 cases (a 408% increase compared to 2024). It was followed closely by Akira, with 947 recorded ransomware cases (a 125% increase), then the-remerged Cl0p leaks (594 cases, a 525% increase), the relatively new, rapidly growing ransomware threat actor Safepay (464 cases, a 775% increase), and INC ransom, with 442 recorded cases (an 83% increase compared to 2024).
Incidents peak, but targets remain the same: What’s next?
To increase resilience against ransomware attacks, Noreika advises companies to strengthen their basic security hygiene. This includes updating and patching systems and applications, using multifactor authentication, implementing password management policies, and enforcing the zero trust framework to prevent malware from spreading laterally.
“For early threat prevention and detection, intelligence is key — it enables businesses to patch critical vulnerabilities and detect indicators of compromise as soon as possible,” says Noreika. “Data leaked onto the dark web may expose credentials or sensitive details that attackers can exploit to gain unauthorized access. An early alert enables organizations to reset passwords, revoke access keys, disable compromised accounts, and support faster incident response.”
Noreika also explains that having a ransomware incident-response plan is crucial for reducing the scope of damage from an attack as soon as possible. He also emphasizes the importance of having a recovery plan as well as backing up critical data to minimize operational downtime.
