New research from NordStellar reveals that ransomware attacks increased by 45% in 2025, with 9,251 cases recorded on dark web leak sites compared to 6,395 in 2024. The ransomware ecosystem expanded to 134 active groups—a 30% increase—and attacks are projected to exceed 12,000 in 2026.
Key statistics
| Metric | 2024 | 2025 | Change |
|---|
| Total incidents | 6,395 | 9,251 | +45% |
| Active groups | 103 | 134 | +30% |
| US incidents | 2,544 | 3,255 | +28% |
| December record | — | 1,004 | Two-year high |
NordStellar monitors over 200 ransomware group blogs to track incidents.
Year-over-year trend
| Year | Incidents | YoY change |
|---|
| 2023 | ~4,400 | — |
| 2024 | 6,395 | +45% |
| 2025 | 9,251 | +45% |
| 2026 (projected) | 12,000+ | +30%+ |
The ransomware ecosystem has maintained approximately 45% annual growth for two consecutive years.
Q4 2025 surge
December 2025 set a two-year record with 1,004 incidents—the highest monthly total recorded.
Quarterly breakdown
| Quarter | 2025 Incidents | Trend |
|---|
| Q1 | ~2,000 | Baseline |
| Q2 | ~2,200 | Steady |
| Q3 | ~2,400 | Increasing |
| Q4 | ~2,651 | Surge (+December record) |
Why Q4 surged
“Ransomware groups deliberately exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring.”
— Vakaris Noreika, NordStellar cybersecurity expert
| Factor | Attacker advantage |
|---|
| Skeleton crews | Fewer staff monitoring systems |
| Holiday distractions | Reduced vigilance |
| IT freezes | Change moratoriums delay response |
| Year-end pressure | Business urgency to restore operations |
| Vacation schedules | Key personnel unavailable |
The holiday timing demonstrates attackers’ awareness of organizational vulnerabilities during skeleton crew periods.
Top ransomware groups
| Rank | Group | 2025 Incidents | YoY Change | Notes |
|---|
| 1 | Qilin | 1,066 | +408% | Russia-linked RaaS |
| 2 | Akira | 947 | +125% | Aggressive expansion |
| 3 | Cl0p | 594 | +525% | File transfer exploitation |
| 4 | Safepay | 464 | +775% | New entrant surge |
| 5 | INC Ransom | 442 | +83% | Steady growth |
Qilin’s dominance
| Attribute | Details |
|---|
| Incidents | 1,066 (11.5% of total) |
| Growth | 408% year-over-year |
| Affiliation | Russia-linked |
| Model | Ransomware-as-a-Service |
| Affiliate payouts | Competitive rates |
| Specialization | Double extortion |
The group’s 408% increase reflects aggressive expansion and effective affiliate recruitment. Qilin operates a sophisticated RaaS platform with competitive affiliate payouts.
Cl0p’s resurgence
| Factor | Impact |
|---|
| MOVEit aftermath | Continued victim discovery |
| New file transfer campaigns | Fresh vulnerability exploitation |
| Mass exploitation model | High volume, automated attacks |
| Growth rate | 525% year-over-year |
The 525% increase was driven largely by mass exploitation of file transfer vulnerabilities (MOVEit aftermath and new campaigns).
Safepay emergence
| Metric | Value |
|---|
| 2025 incidents | 464 |
| Growth | 775% |
| Status | Relatively new entrant |
Safepay’s 775% growth represents the most dramatic expansion of any group, demonstrating how quickly new ransomware operations can scale.
Geographic distribution
| Country | 2025 Cases | YoY Change | % of Global |
|---|
| United States | 3,255 | +28% | 35% |
| Germany | 270 | +97% | 3% |
| Canada | ~370 | +46% | 4% |
| France | ~340 | +46% | 4% |
| UK | ~300 | — | 3% |
US dominance factors
| Factor | Impact |
|---|
| Higher reporting rates | More visibility in leak data |
| Wealthy targets | Higher ransom potential |
| Insurance coverage | Payment capability |
| Large attack surface | More organizations exposed |
US organizations account for approximately 35% of all recorded ransomware cases globally—though this may reflect higher reporting rates and leak site visibility rather than proportionally more attacks.
Germany surge
Germany’s 97% increase represents the largest growth among major economies, potentially reflecting:
| Factor | Contribution |
|---|
| Manufacturing targeting | Strong industrial base |
| SMB vulnerability | Mittelstand companies |
| Increased reporting | Better visibility |
Most targeted industries
| Industry | 2025 Incidents | YoY Change | % of Total |
|---|
| Manufacturing | 1,156 | +32% | 19.3% |
| IT Services | 524 | — | 8.7% |
| Professional/Scientific/Technical | 494 | — | 8.2% |
| Construction | 443 | — | 7.4% |
| Healthcare | 339 | — | 5.6% |
Manufacturing leadership
| Factor | Attacker benefit |
|---|
| Intellectual property | Valuable trade secrets |
| Operational dependence | Production disruption pressure |
| OT/IT convergence | Expanded attack surface |
| Security investment gaps | Lower maturity than finance/tech |
| Supply chain pressure | Downstream customer impact |
Manufacturing leads for the second consecutive year. The sector combines valuable intellectual property, operational technology dependencies, and often weaker security programs compared to financial services or tech.
Manufacturing sub-sectors
| Sub-sector | Target profile |
|---|
| General manufacturing | Broad targeting |
| Machinery | High-value equipment data |
| Electronics/electrical | IP theft potential |
SMB targeting
Small and medium-sized businesses (up to 200 employees, revenues up to $25 million) experienced the most attacks, consistent with 2024 findings.
Why SMBs are preferred targets
| Factor | Attacker Benefit |
|---|
| Valuable data | Customer records, IP, financial data |
| Limited security | Smaller security teams, fewer tools |
| Payment likelihood | Operational pressure to restore quickly |
| Backup gaps | May lack robust recovery capabilities |
| Insurance limits | Pressure to pay vs. prolonged downtime |
“Cybercriminals prioritize choosing targets that offer the biggest payoff for the least amount of effort, and SMBs in the manufacturing industry fit this perfectly — they generate enough revenue to pay large ransoms but usually don’t have the capacity to implement strong security measures or fast recovery options.”
— Vakaris Noreika, NordStellar
SMB vs Enterprise comparison
| Factor | SMB | Enterprise |
|---|
| Security budget | Limited | Substantial |
| Dedicated security team | Rare | Standard |
| Backup sophistication | Basic | Advanced |
| Recovery time | Longer | Shorter |
| Payment pressure | Higher | Lower |
Tactic shift: Encryption-less extortion
NordStellar highlights a significant evolution in ransomware tactics:
“Many attacks no longer involve encryption. Instead, attackers quietly exfiltrate sensitive data over weeks or months, then extort victims long after the initial breach.”
Traditional vs encryption-less comparison
| Aspect | Traditional ransomware | Encryption-less extortion |
|---|
| Encryption | Yes | No |
| Detection | Encryption activity alerts | Harder to detect |
| Backup protection | Backups enable recovery | Backups don’t help |
| Dwell time | Short (encrypt quickly) | Long (weeks/months) |
| Data theft | Sometimes | Always |
| Leverage | Restore access | Prevent leak |
Benefits for attackers
| Advantage | Impact |
|---|
| Evades detection | No encryption activity to trigger alerts |
| Backup-proof | Victims can’t just restore from backup |
| Reduced complexity | No encryption payload needed |
| Longer dwell time | More complete data theft |
| Persistent leverage | Threat of leak remains indefinitely |
2026 projections
“Ransomware actors are growing increasingly aggressive—given the surge in 2025, the number of ransomware incidents in 2026 is likely to exceed 12,000.”
| Scenario | 2026 projection |
|---|
| Conservative (+20%) | ~11,100 incidents |
| Expected (+30%) | ~12,000 incidents |
| Aggressive (+45%) | ~13,400 incidents |
This would represent another 30%+ increase, continuing the acceleration trend.
Recommendations
Detection focus
| Control | Purpose |
|---|
| Data Loss Prevention (DLP) | Detect unusual data transfers |
| Lateral movement monitoring | Catch attackers before exfiltration |
| Network segmentation | Limit attacker reach |
| Behavioral analytics | Identify anomalous access patterns |
| EDR/XDR | Endpoint-level threat detection |
Resilience measures
| Control | Benefit |
|---|
| Offline backups | Tested regularly for restoration |
| Incident response plans | Include encryption-less scenarios |
| Employee training | Phishing and social engineering awareness |
| Cyber insurance | Ransomware-specific coverage |
| Tabletop exercises | Practice response procedures |
For SMBs specifically
| Priority | Action |
|---|
| Critical | Implement MFA across all systems |
| Critical | Maintain tested offline backups |
| High | Deploy endpoint protection |
| High | Train employees on phishing |
| Medium | Segment networks where possible |
| Ongoing | Monitor for data exfiltration |
Context
The 45% increase in 2025 continues a multi-year acceleration. The shift toward encryption-less extortion means organizations with robust backup strategies are no longer immune—data theft alone provides sufficient leverage for attackers.
Key trends to watch:
| Trend | Implication |
|---|
| RaaS professionalization | Lower barrier for new attackers |
| Holiday targeting | Q4 vulnerability window |
| SMB focus | Small businesses increasingly at risk |
| Encryption-less model | Backups no longer sufficient defense |
| Manufacturing targeting | Industrial sector remains primary target |
Defenders should assume that any network intrusion may result in data exfiltration and plan accordingly. The days when ransomware was purely an encryption problem are over.
