Ransomware attacks surged in 2025
Ransomware isn’t slowing down. In 2025, the number of publicly reported ransomware incidents hit 1,174. That’s a 49% jump from 2024, and close to four times more than we saw in 2020. But the larger problem is the part we don’t see. BlackFog’s latest data shows that nearly 86% of attacks never make it to public reporting. On dark web leak sites, attackers listed over 7,000 victims. That’s a real dataset, not speculation, and it says something serious: most companies are being hit and staying silent.
If you’re running a company, especially in regulated sectors, this gap in visibility is dangerous. Attacks are escalating. Sophistication is increasing. And the reporting gaps mean leaders may be underestimating both frequency and risk exposure. Most threat response models still rely on publicly available information, which leaves you blind to what’s really happening. If you’re a CEO or CIO and you’re not actively building strategy around unreported incidents, you’re missing the actual scale of the threat. Most firms are already in the blast radius, they just haven’t seen the flash yet.
There’s a cultural lag here. Back in 2020, ransomware seemed like a disruption. Now it’s a persistent operational risk. It affects how CFOs think about insurance, how COOs evaluate continuity, and how CTOs allocate infrastructure budget. The new reality isn’t just more attacks, it’s that most of them operate in the dark. Meaning your next strategy review needs to assume sideways movement in the network, multiple entry points, and likely cases of undetected compromise.
AI is fundamentally transforming ransomware operations
Artificial intelligence isn’t just powering recommendation engines and chatbots anymore, it’s landed squarely on the wrong side of cybersecurity. In 2025, we saw the first high-profile case of a ransomware group hijacking a language model, Anthropic’s Claude. They used it to automate every stage of the attack: reconnaissance, exploitation, and data theft. No human mid-operator. That’s a new class of threat.
Ransomware groups are no longer doing smash-and-grab jobs. They’re moving with automation, accuracy, and scale thanks to AI. Think about it: you can now run a cyber operation that scales instantly, adapts to new environments, and stays invisible longer. That’s not just a threat, it’s a mechanical advantage. And every step these attackers automate widens the gap between their offensive capability and traditional defensive methods.
Most legacy tools weren’t built to stop autonomous, adaptive attackers. Static firewalls and outdated behavioral models won’t cut it now. If your security stack isn’t evolving, learning in real-time and operating close to endpoints, you’re leaving space for AI-based intrusion. Boards can’t wait on this. The tooling gap is accelerating, and so is the speed of infiltration.
Dr Darren Williams, founder and CEO of BlackFog, said it plainly: “Attackers aren’t just breaking in, they’re stealing data to power extortion.” He’s right. We’re no longer defending networks, we’re defending the integrity of every record, contract, and medical file. AI has shifted the game. And if you’re not prioritizing speed-to-detection systems and real-time data loss prevention, you’re not playing the right one.
Ransomware group activity is expanding and diversifying
The ransomware landscape is adaptive. In 2025, BlackFog tracked 130 different ransomware groups, including 52 new entrants. That’s a 9% increase from 2024. These aren’t just renamed operations, they’re groups shifting tactics, splitting apart, adopting affiliate models, and scaling through ecosystem churn. This organizational fluidity makes attribution harder and containment slower.
Among the most active were known names like Qilin and Akira. Qilin led the field, claiming 1,115 victims across both disclosed and undisclosed attacks. Akira followed closely, with 776 victims. Groups like Play also took significant operational share, accounting for 5% of publicly reported attacks. These aren’t sporadic hits, these numbers show sustained campaigns. You’re looking at operators with infrastructure, strategy, and continuity.
The structure of ransomware ops is starting to reflect the logic of high-frequency attacks, short life cycles, high volatility, and high yield. For CISOs and CIOs, intelligence needs to shift from static group profiles to dynamic behavioral analysis. Most effort today goes into identifying signatures, when what you need to recognize is operational intent. That means more machine-scale correlation, less manual threat hunting.
If you’re running enterprise security, tracking these groups isn’t about headlines. It’s operational planning. You’re not defending against one large monolithic threat. You’re dealing with an environment of dozens of agile, well-coordinated units with specialization, funding, and scalable tooling. Pretending they look like yesterday’s criminal groups is a luxury you can’t afford.
Targeted industries and geographical areas experienced varied levels of ransomware exposure
In 2025, ransomware activity became more selective while still scaling globally. No sector was untouched, but some took bigger hits than others. The healthcare sector remained the hardest hit by volume, accounting for 22% of all publicly disclosed incidents. That’s not a coincidence, sensitive patient data and urgent infrastructure make it a predictable focus. Retail also saw growing attention, with breaches reported at major brands like M&S, Cartier, and Chanel. Luxury and consumer-facing companies aren’t historically IT-heavy, that gap is being exploited.
Services industries weren’t spared either. They saw a 118% year-over-year rise in ransomware attacks, the steepest spike BlackFog reported across all verticals. The drop in attacks on education, down about 12%—isn’t a signal of safety. It’s likely a function of attackers shifting focus not retreating from the market. For leadership teams, this means adapting defense priorities. Protection budgets should reflect exposure, not just historical frequency.
Globally, ransomware remained a planetary-scale issue. Attacks affected organizations in 135 countries, roughly 69% of the world. The United States continued to absorb the majority of impact, with 58% of all publicly disclosed incidents and 3,768 of the undisclosed. Australia and the UK followed at some distance. Meanwhile, new targeting patterns emerged. Groups ran focused campaigns in select regions. Qilin executed one of the most concentrated national attacks of the year against South Korean organizations. That kind of targeted pressure signals a broader playbook of strategic intent.
For multinational executives, these numbers are not academic. If you’re operating across regulated sectors or running globally integrated systems, different countries will face different threat intensities. Central security policy is useful, but it’s not enough. Regional variations in risk demand regional adaptations in response. That’s what forward-looking operational security leadership needs to internalize.
Ransomware operations are evolving beyond mere encryption
Ransomware isn’t just about locking systems anymore, that part is expected. What’s changed is the strategic focus on data theft. In 2025, we saw ransomware operations continue to combine encryption with targeted exfiltration of sensitive data. This is now the standard approach, and it multiplies the stakes for every organization involved. Once data is in the attackers’ hands, the risk shifts from downtime to leverage. They’re not just asking for payment to restore access, they’re threatening to leak sensitive information for added pressure.
This evolution significantly alters the risk profile. Operational disruption is still costly, but reputational and regulatory consequences from leaked data hit harder and last longer. If your architecture isn’t built with data containment and exfiltration resistance in mind, you’re exposed. Many companies still prioritize perimeter defense. That’s insufficient. Once attackers get inside, they need to hit something, without data isolation, they will.
For CFOs and CISOs, this means higher costs in mitigation, greater legal exposure, and a tighter compliance environment. Data privacy laws, especially in the EU, US, and parts of Asia, tie direct penalties to the loss of personal and financial information. If stolen data includes medical files, client lists, or contracts, organizations may find the long-term regulatory and court-driven consequences exceed the initial ransom demand.
Dr Darren Williams, founder and CEO of BlackFog, made the point clear: “The disruption they cause is only part of the story. Attackers aren’t just breaking in, they’re intent on stealing data to power extortion.” He’s right. The emphasis now is on exfiltration. And with AI sharpening attack paths and reducing detection time, traditional containment windows have been compressed. Executives need to adjust. This isn’t just about stronger firewalls, it’s improved visibility, live monitoring of data movement, and real-time interventions when sensitive assets come under threat.
We’re not heading toward this shift, it’s already here. Many companies are still playing catch-up, which is exactly what attackers are relying on. The leadership question now isn’t whether you’re protected, it’s whether your system can respond before data exits your environment. That’s the line that matters.
Key executive takeaways
- Ransomware is scaling beyond the public radar: Leaders must build cybersecurity strategies based on the true scope of risk, not just disclosed incidents, 86% of attacks in 2025 went unreported, masking the actual threat level.
- AI-enabled attacks are redefining threat speed and stealth: Organizations need to upgrade legacy defenses in response to AI-led intrusions that automate reconnaissance, exploitation, and data exfiltration, drastically reducing response time.
- Threat actors are multiplying and evolving fast: Security teams should monitor behavioral patterns over static group names, 52 new ransomware groups emerged in 2025, often rebranded or reorganized to evade detection.
- High-risk sectors and regions demand tailored defenses: With 22% of public attacks targeting healthcare and 58% of cases based in the U.S., leaders must allocate resources based on targeted exposure, not generalized risk.
- Data theft now drives the impact of ransomware: Executives should elevate real-time data loss prevention as a top priority; attackers are shifting from disruption to extortion using sensitive, stolen information.
