New research from NordStellar reveals that ransomware attacks increased by 45% in 2025, with 9,251 cases recorded on dark web leak sites compared to 6,395 in 2024.
Key Findings
Geographic Distribution
United States remained the primary target with 3,255 recorded cases in 2025—a 28% increase from 2,544 incidents in 2024. US organizations accounted for 64% of all recorded ransomware cases globally.
Other notable increases:
- Germany: 97% increase (270 cases)
- Canada: 46% increase
- France: 46% increase
Target Profile
Small and medium-sized businesses (SMBs) with up to 200 employees and revenues up to $25 million experienced the most ransomware attacks, consistent with findings from 2024.
This trend reflects attackers’ preference for organizations that:
- Have valuable data but limited security resources
- Are more likely to pay ransoms to resume operations
- May lack robust backup and recovery capabilities
Evolving Tactics
The research highlights a significant shift in ransomware tactics. Many attacks no longer involve encryption—attackers quietly exfiltrate sensitive data over weeks or months, then extort victims long after the initial breach.
This “encryption-less” approach:
- Evades traditional ransomware detection
- Provides leverage even if victims have backups
- Reduces attacker operational complexity
Recommendations
Organizations should:
- Implement data loss prevention (DLP) to detect unusual data transfers
- Monitor for lateral movement and privilege escalation
- Segment networks to limit attacker reach
- Maintain offline backups and test restoration procedures
- Train employees on phishing and social engineering