- Ransomware victims increased from approximately 5,400 in 2023 to more than 8,000 in 2025, an increase of 53 to 63%.
- Major groups like RansomHub, BianLian and Hunters International closed, but overall numbers grew
- The active groups increased to 126-141, with Qilin, Cl0p, Play and INC Ransom leading the attacks.
Despite law enforcement’s best efforts to rid the world of ransomware, not much has changed in 2025, and the infamous cybercriminal practice continued its upward trajectory.
This is according to “The State of Ransomware in the US: Report and Statistics 2025,” a new report published by security researchers Emsisoft.
Based on data from two separate sources, RansomLook.io and Ransomware.live, collected between 2023 and 2025, Emsisoft determined that some of the biggest players were either disrupted by law enforcement or shut down on their own. But it did little to stop the attacks.
The disappearance of the giants.
“Since 2023, the number of claimed victims worldwide has increased from approximately 5,400 per year to more than 8,000 in 2025,” the report states.
“Double-digit annual growth has led to increases in 2023/2025 of between 53% (using data from Ransomware.live) and 63% (data from RansomLook.io).” Emsisoft also added that the actual numbers are likely significantly higher, as only a minority of incidents are reported and tracked.
At the same time, some of the groups considered the biggest threats were shut down or disappeared last year. That includes RansomHub (infringed Kawasaki Motors Europe, Planned Parenthood and Manpower), BianLian (Boston’s Children’s Health Physicians, Mizuno USA, Northern Minerals) or Hunters International (Tata Technologies, Dell), as well as many others: Babuk-Bjorka, FunkSec, 8Base and Cactus.
However, in absolute terms, the number of ransomware groups grew. In fact, the more victims there are, the more attackers there are. The data shows around 70 active groups in 2023, increasing to between 126 and 141 in 2025.
Qilin, Akira, Cl0p, Play, Safepay and INC Ransom seem to be the most active groups this year, displacing older heavyweights like LockBit, ALPHV (now closed), 8Base or Akira.
“The disappearance of successful groups often results in open competition to attract the most productive affiliates,” concludes Emsisoft. “We can be hopeful that, although the number of victims continues to rise, the pressure applied by international authorities appears to be having an impact on criminal gangs.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
