2025’s Top Ransomware Threats & Trends
▼ Summary
– The year 2025 saw fewer major ransomware takedown operations compared to 2024, but less organized hacker collectives like Scattered Spider gained significant attention.
– Traditional ransomware syndicates remained highly active, with 306 groups reportedly operating and claiming 7,902 victims, a notable increase from previous years.
– The reported victim statistics, sourced from ransomware groups’ own data leak sites, may not fully reflect reality due to unreported attacks and false claims.
– The Qilin ransomware group was the most prolific based on these listings, claiming responsibility for over 1,000 attacks including one on Asahi.
– According to tracking sites, the Akira and Clop groups ranked as the second and third most active ransomware operations by claimed victims.
While the past year saw a notable decline in high-profile law enforcement actions against ransomware groups compared to 2024, the threat landscape itself grew more severe. The total number of victims publicly claimed by ransomware syndicates surged dramatically, indicating a shift in tactics rather than a reduction in criminal activity. This trend underscores a critical reality: despite fewer major takedowns, ransomware remains a pervasive and escalating danger to organizations worldwide.
Beyond the statistics, the year’s narrative was also shaped by less structured but highly disruptive collectives. Groups like Scattered Spider, Lapsus$, and ShinyHunters frequently dominated cybersecurity headlines with their aggressive operations. Yet, traditional, well-established ransomware cartels maintained relentless pressure, proving that both old and new threats demand constant vigilance.
Data from the ransomware monitoring site Ransomware.live reveals the alarming scale. Over the last twelve months, 306 distinct ransomware groups were active, publicly listing a staggering 7,902 victims. This figure marks a sharp increase from the 6,129 victims listed in 2024 and 5,336 in 2023, painting a clear picture of an expanding criminal ecosystem. It is crucial to interpret these numbers with caution, however. They originate solely from data posted on ransomware gangs’ own leak sites. The true scope of attacks is likely even larger, as many incidents are never reported or detected, and some group claims are later proven fraudulent.
Leading the pack in claimed attacks was the Qilin ransomware operation. This group, which took responsibility for a major cyber-attack on brewing titan Asahi in September, was listed as the most prolific actor. Ransomware.live data shows Qilin claimed 1,001 victims on its leak site, a count largely corroborated by the competing intelligence service RansomLook, which recorded 973. Following Qilin, both tracking services identified the Akira ransomware gang as holding second place for the number of victims claimed. The notorious Clop syndicate rounded out the top three, maintaining its position as a dominant and persistent threat to global networks.
(Source: InfoSecurity Magazine)
