BlackFog, the leader in ransomware prevention and anti data exfiltration (ADX), unveiled its 2025 State of Ransomware Report, a detailed analysis of ransomware activity from publicly disclosed and non-disclosed attacks globally.
Also Read: CIO Influence Interview With Jake Mosey, Chief Product Officer at Recast
The report shows that ransomware activity continues to intensify, driven by the emergence of large-scale, AI-enabled attacks. As attackers prioritize speed, scale and stealth over disruption, 2025 marked a record-setting year for ransomware activity:
Key findings for 2025
- Publicly disclosed ransomware increased by 49% year on year. The total number reached a record high of 1,174 incidents, nearly four times higher than in 2020.
- There was a 37% rise in u********** attacks from 2024 – 2025.
Ransomware’s most dangerous players
A total of 130 different ransomware groups carried out attacks in 2025, spanning both new and more established operators. Of these, 52 were new ransomware groups emerging in 2025 – representing a 9% increase compared to 2024.
- Qilin’s activity surged, and in 2025 it was the most active ransomware group across both disclosed and u********** attacks claiming a total of 1,115 victims.
- Akira ranked second for disclosed attacks and third for u********** activity. In total, this group was linked to 776 total recorded attacks over the year.
- Play secured third place for disclosed attacks, accounting for 5% of the annual total, while INC ranked second in u********** activity, with 66 victims claimed.
Large‑scale, AI‑enabled attacks have arrived
2025 also saw the arrival of large scale AI-enabled attacks when attackers hijacked Anthropic’s Claude model to autonomously perform reconnaissance, exploitation, and data theft – a first‑of‑its‑kind AI‑led cyberattack.
Retail sector in the spotlight, healthcare still the most targeted sector
With high-profile attacks affecting brands such as M&S, Cartier, Chanel, and other luxury retailers and fashion houses, the retail sector saw increased targeting. In terms of volume, the healthcare sector was once again the most targeted vertical sector, accounting for 22% of all disclosed ransomware attacks in 2025.
Nearly all sectors experienced increased attack volumes, with the services industry more than doubling year-on-year, recording a 118% increase. Education was the only sector to see a decline, with attacks decreasing by approximately 12%.
No nation is immune: 69% of all countries worldwide impacted
The report reveals the global threat of ransomware with organizations across 135 countries (69%) impacted by attacks in 2025. Among disclosed ransomware incidents, the United States remained the primary target, accounting for 58% of all recorded attacks. Australia and the United Kingdom followed, with 110 and 42 attacks respectively.
For u********** attacks, the US again topped the list, suffering 3,768 incidents. Canada followed, accounting for 6% of u********** attacks, with Germany close behind at 4%.
2025 also saw intense country-specific attacks with the Qilin ransomware group launching a sustained and highly targeted campaign against South Korean organizations – one of the most concentrated national attacks of the year.
Sharp rise in ransomware under the radar – 86% of all attacks are u**********
There was a sharp rise in u********** ransomware activity in 2025, with 7,079 victims announced by ransomware groups on dark web leak sites, representing a 37% increase compared to 2024. These figures indicate that approximately 86% of ransomware attacks are never publicly reported.
Dr Darren Williams, Founder and CEO of BlackFog, comments: “The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn’t respect borders, the size of organization or the sector you’re in. It’s brought vital services, established companies – and the smaller partners who depend on them – to a grinding halt.
“Yet the disruption they cause is only part of the story. Attackers aren’t just breaking in – they’re intent on stealing data to power extortion. By weaponizing AI they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures. Putting protections in place to close these gaps and prevent data exfiltration has to take priority as attackers focus on targeting organizations’ most sensitive information.”
Catch more CIO Insights: Why CIOs are becoming chief risk orchestrators?
[To share your insights with us, please write to psen@itechseries.com ]
