- Ransomware groups hit record levels in 2025, new report says
- Searchlight says the number of victims also surpassed previous records
- Victim growth rate has doubled since 2024
If you thought the ransomware threat was getting worse, you’re right, as new findings in the Searchlight Ransomware H2 2025 report have laid bare the magnitude of the problem.
The number of active ransomware groups has reached levels never seen before, and the victim growth rate has doubled since 2024.
New, more complex ransomware groups are breaking away from the big names, creating a highly competitive market for victims.
Ransomware in 2025 breaks records
The casualty count in 2025 reached a total of 7,458, more than any previous year. But this only represents the number of companies and organizations that disclosed that they had suffered a ransomware attack. The United States bore the brunt of attacks, with 1,536 victims disclosing attacks in 2025, followed by Canada with 182, Germany with 167 and the United Kingdom with 131.
The actual number of victims, such as customers or users whose data was stolen during an attack in 2025 and leaked or sold on the dark web, is likely in the millions.
In 2025, there were 124 unique active ransomware groups operating, of which 73 were new groups entering the landscape. But one group remains the most prolific threat: the Qilin. This ransomware-as-a-service (RaaS) group offers its malware for purchase, allowing affiliated hackers to attack organizations and return a portion of the ransom payment to Qilin operators.
By providing an advanced ransomware kit at an affordable price, the barrier to entry into the highly profitable world of ransomware is significantly lowered. The Akira group, which also operates as a RaaS group, took second place with 384 numbers.
Supergroups also emerged in 2025: collaborative operations between ransomware groups that combine their specialized skills to attack larger targets. The joint operations of Scattered Spider, LAPSUS$ and ShinyHunters are the best example of a supergroup, with this trio launching a RaaS operation as a result of their collaboration.
One of the main drivers of the growth of ransomware attacks in 2025 was the availability of AI. Many groups have used AI to create social engineering campaigns and phishing kits that are highly convincing and can bring an organization to its knees with a single click.
“2025 was a record year for ransomware, driven by a professionalized ecosystem that remains devastatingly effective despite increased pressure from law enforcement globally. While we saw a very slight drop in victim numbers in the second half of the year, this should not be interpreted as a victory,” said Luke Donovan, head of threat intelligence at Searchlight Cyber.
The best antivirus for all budgets
