Ransomware attacks surge while most go unreported
Ransomware is no longer a side issue, it’s the dominant cyber threat shaping global business risk. In 2025, publicly disclosed ransomware incidents jumped by 49% compared with the year before, reaching a record 1,174 reported cases, according to BlackFog’s State of Ransomware 2025 report. But this is just the visible part of the problem. Dark web data shows 7,079 victims were listed by ransomware gangs, meaning roughly 86% of attacks never became public. Most affected organizations remain silent, often fearing reputational loss, legal fallout, or disruption to ongoing recovery efforts.
For executive teams, this underreporting distorts how risk is perceived and managed. The apparent numbers don’t reflect the true scale of exposure. A company might think ransomware is a distant issue until it becomes a direct target. Threat visibility must therefore extend beyond public disclosures, leaders should prioritize real-time monitoring, invest in network-level anomaly detection, and maintain intelligence links into dark web activity. Without this visibility, strategic planning against ransomware is built on incomplete data.
This expansion of unreported activity also shows how adaptable and sophisticated attackers have become. They understand that silence works in their favor. Cyber resilience, how fast and effectively an organization can detect, isolate, and recover, has become more important than the unrealistic goal of complete prevention.
Executives need to question their teams: how quickly can we recover if hit tomorrow, and how confident are we that sensitive data isn’t leaving our systems unnoticed? These questions determine resilience far more than compliance checklists. The reality is simple: ransomware can no longer be ignored or downplayed. It’s not going away; it’s scaling faster than defenses adapt.
The ransomware ecosystem is growing, fast and unstable
Cybercrime operates much like a fragmented, global economy now, with constant churn, new entrants, and established players reinventing themselves. In 2025, BlackFog tracked 130 active ransomware groups, including 52 new ones, a 9% rise from 2024. Many groups rebrand frequently or adopt new toolkits and affiliate programs to stay ahead of law enforcement. This constant evolution makes attribution difficult and defense planning more complex.
The numbers are stark. Qilin led as the most active group, claiming 1,115 victims, while Akira was behind 776 total attacks. Others, like Play, accounted for notable shares of publicly known incidents. Each operates independently but uses shared infrastructure, outsourced specialists, and service models that mirror legitimate business ecosystems. It’s not chaos, it’s organized reinvention.
For leaders, the takeaway is clear: cybersecurity can’t be treated as a fixed investment. The threat model is fluid. Ransomware groups operate using the same innovation cycle as advanced startups, faster, cheaper, and with immediate ROI. Executives should ensure their organizations match that pace with adaptive security architectures, zero‑trust frameworks, and faster operational recovery protocols.
What’s also emerging is a broader collaborative structure among attackers. They share codebases, trade exploits, and sell compromised access. This ecosystem dynamic means that even small players can execute large-scale attacks with borrowed tools. Corporate security strategies that rely on defending against “known” actors become irrelevant when new variants appear weekly.
According to BlackFog’s findings, the proliferation of 52 new ransomware groups in one year illustrates how quickly the landscape shifts. Defenders must scale response automation, reduce manual dependence, and adopt data-driven detection models that evolve as fast as attackers do.
The ransomware economy is proving one thing, innovation doesn’t belong only to legitimate businesses. It’s happening on both sides. To stay ahead, leaders need to think beyond defense and focus on resilience, adaptability, and intelligence integration at an executive level.
AI-enabled ransomware marks a major shift in cyber threats
2025 was the year artificial intelligence became a weapon for attackers, not just a defense tool. BlackFog’s report highlights a breakthrough incident where hackers hijacked Anthropic’s Claude AI model and used it autonomously to perform reconnaissance, exploitation, and data theft. This was the first confirmed AI‑led ransomware operation, an event that redefined what automation in cyberattacks can achieve.
Attackers now use AI to scale faster than ever. The technology allows them to scan networks, identify vulnerabilities, and launch precision attacks in minutes. This automation means more attacks, less human involvement, and greater unpredictability. For executives, this fundamentally changes the security equation. Traditional defenses that rely on manual review or human monitoring are too slow for this generation of threats.
The shift isn’t limited to efficiency. AI in ransomware increases stealth. These systems can learn and adapt while operating within compromised networks, making detection extremely difficult. They mimic normal user behavior, avoid generating suspicious traffic patterns, and continuously refine their methods. Without machine-speed countermeasures, even well-secured organizations face a considerable disadvantage.
For leaders, the focus should now move toward AI‑assisted defense strategies. Organizations that fail to integrate AI-driven detection and response systems will fall behind. This is not about replacing human expertise but amplifying it, enabling security teams to respond at the same speed and sophistication as the attackers they face.
BlackFog identifies the hijacking of Anthropic’s Claude model as the first of its kind, a clear signal that ransomware’s next evolution has arrived. The message for the C-suite is straightforward: prepare for AI-powered adversaries by building AI-powered defenses.
Sector-specific targets reveal shifting ransomware priorities
One of the key insights from BlackFog’s 2025 report is that ransomware groups are becoming more selective about their targets. Healthcare remained the most attacked sector, representing 22% of all disclosed incidents. These organizations continue to draw attention due to their critical operations and sensitive patient data. Retail also came under increasing pressure, with high-end brands such as M&S, Cartier, and Chanel among the affected. At the same time, the services industry faced the steepest growth in attacks, a 118% rise year on year, while the education sector saw a modest 12% drop.
This uneven distribution tells an important story. Attackers are prioritizing industries that combine high-value data with weak disruption tolerance. Healthcare and retail operate under constant service expectations and legal data obligations, making them ideal targets for extortion. The services sector, driven by interconnected digital platforms, is becoming more exposed as attackers find exploitable entry points across customer management and operations systems.
For executives, this data points to the need for industry‑specific security strategies. A generic cybersecurity framework is no longer sufficient. Each sector faces unique risks shaped by regulation, data type, and operational dependency. Healthcare organizations, for example, must integrate security enhancements without impairing patient care workflows. Retail needs to strengthen protection of customer data while maintaining frictionless transaction systems.
Decision-makers should prioritize sector‑relevant investment in resilience, combining endpoint protection, constant data monitoring, and crisis management planning. Collaboration within industries can also enhance defense readiness, allowing firms to share intelligence on emerging ransomware variants before they spread.
BlackFog’s research confirms that healthcare dominated 22% of attacks, the services industry saw a 118% surge, and education dropped 12%. These shifts suggest that attackers are tracking economic and operational trends as closely as legitimate businesses do. Leaders who understand where their sector falls on this map will be best positioned to preempt the next wave of attacks.
Ransomware has become a global operational threat
Ransomware is no longer concentrated in a few regions; it has become a global operational risk that affects nearly every country. According to BlackFog’s 2025 data, attacks were recorded across 135 countries, equal to around 69% of the world. The United States experienced the largest share, accounting for 58% of publicly reported cases and 3,768 undisclosed incidents. Australia and the United Kingdom followed, with 110 and 42 reported cases, while Canada and Germany featured prominently in dark web data. BlackFog also noted the rise of targeted national campaigns, such as Qilin’s coordinated attacks on South Korean organizations, which represented one of the most concentrated country‑specific operations of the year.
The data reveals that ransomware has become an international business-risk variable instead of a localized cybersecurity issue. Its global reach means that even companies operating solely within national borders are vulnerable through supply chains, vendors, or online ecosystems. For multinational organizations, this introduces added complexity in compliance, legal reporting, and crisis management across jurisdictions. Executives must now think about ransomware in terms of continuity and operational resilience at the global level, not regional containment.
Leaders should also pay close attention to how geopolitical factors shape threat distribution. Regions with growing digital infrastructures but weaker regulatory oversight, such as parts of Asia and Eastern Europe, are increasingly targeted. In contrast, mature markets like the United States face higher incident reporting but have better visibility and response coordination. Risk mitigation therefore requires multi-jurisdictional policies, international data segmentation, and collaboration with cross-border agencies to share threat intelligence faster.
According to BlackFog’s analysis, the data demonstrates this clear escalation in scope, 135 countries impacted, 58% of attacks striking U.S. entities, and thousands more unreported cases worldwide. For global companies, ransomware is now a shared operational liability that demands standardized, globally synchronized risk management. The challenge for executives is not just survival but agility, ensuring readiness regardless of where the attack starts.
Ransomware now combines data theft and extortion, intensifying business and legal exposure
Ransomware operations have evolved into multi-layered attacks that don’t stop at encryption. Modern threat groups now extract corporate data before launching extortion demands. This dual-phase model amplifies damage, combining financial, operational, and legal consequences. BlackFog’s 2025 report highlights this as a defining trend, noting that attackers increasingly use the stolen data as leverage for secondary blackmail or sale on the dark web.
This shift forces organizations to deal with two simultaneous crises, system disruption and potential data breach liabilities. A company that’s locked out of its systems may recover backups, but once confidential information has been taken, reputational and legal costs escalate fast. The risk extends beyond ransom payments; it now involves lawsuits, regulatory scrutiny, and erosion of customer trust.
Leadership involvement has become a critical factor in this new environment. Protection against ransomware isn’t purely a technical matter, it’s a strategic governance issue. Executives should push for continuous monitoring tools that detect and block data exfiltration attempts early, not after encryption has occurred. Corporate boards need to ensure that crisis response plans include legal, communication, and financial recovery steps alongside technical restoration. These incidents are no longer confined to IT departments.
Dr. Darren Williams, Founder and CEO of BlackFog, directly addressed this shift, emphasizing that ransomware’s impact has become extensive and indiscriminate. “The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn’t respect borders, the size of organization or the sector you’re in. It’s brought vital services, established companies – and the smaller partners who depend on them – to a grinding halt.” He also warned that attackers have begun weaponizing AI to accelerate data theft and evade security controls, urging organizations to prioritize anti‑exfiltration measures and data‑centric defense.
For decision‑makers, this underscores the need to treat data as the core of cybersecurity investment. The financial consequences of a breach are often dwarfed by those of stolen information. Preventing exfiltration before encryption must be the top priority. The organizations that grasp this evolution early will define the new standard for digital resilience.
Key takeaways for decision-makers
- Unreported ransomware is masking the real scale of risk: Over 86% of ransomware attacks in 2025 went unreported, according to BlackFog. Leaders should assume underdisclosure and invest in continuous threat monitoring and dark web intelligence to gain a full risk picture.
- Ransomware groups are multiplying and evolving fast: With 130 groups active and 52 new entrants in 2025, the threat landscape is expanding rapidly. Executives need adaptive defense strategies and intelligence-driven security models that evolve in real time.
- AI is transforming ransomware into an autonomous threat: The hijacking of Anthropic’s Claude model marked the first AI-led ransomware attack. Leadership teams must accelerate adoption of AI-powered defenses that detect and counter automated threats at machine speed.
- Critical sectors face unequal exposure: Healthcare took 22% of attacks, while retail and services saw major upticks. Decision-makers should implement sector-specific protection strategies that consider regulatory pressure, operational disruption, and data sensitivity.
- Ransomware is now a global operational issue: Attacks spanned 135 countries, with 58% of reported cases hitting the U.S. Global enterprises need unified cybersecurity governance frameworks that align compliance, reporting, and response across all regions.
- Data theft is the new front in ransomware damage: Attackers now pair encryption with data exfiltration, compounding financial and reputational losses. Executives should prioritize technologies that prevent data exfiltration and ensure legal and crisis response plans are integrated company-wide.
