Rūta Tamošaitytė
Copywriter
Summary: Through the third quarter of 2025, ransomware attacks surged by 47%, with US organizations and small to medium-sized businesses remaining the primary targets.
Our analysis this quarter reveals a continued growth in ransomware incidents. Between January and September 2025, 6,330 cases were exposed on the dark web—a 47% increase from the 4,293 cases recorded during the same period last year. As in the previous quarter, US organizations and small to medium-sized businesses (SMBs) remained the primary targets.
So, what drove this increase, who’s responsible for the majority of these attacks, and how can you prevent them? Let’s make sense of these ransomware statistics.
Methodology
We continuously monitor over 200 blogs operated by ransomware groups. The ransomware data available on these blogs typically includes the names of the attacked companies, descriptions of the incidents, and sometimes samples of the stolen files to prove the legitimacy of the attack. These groups publish their victims’ names as a tactic to pressure them into paying the ransom. They often include a countdown timer, after which they threaten to leak the stolen data if the ransom is not paid.
Once a company is identified from a ransomware listing, we conduct further research to gather firmographic data. While the total number of 1,943 ransomware attacks in Q3 2025 is accurate, the figures presented in each category (industry, company size, and country) may be slightly higher due to a smaller sample size. This is because some incidents were missing the data needed for categorization and were omitted.
We use various publicly accessible business data sources to identify general organizational attributes, such as industry, geographic region, size, and revenue bracket, using the company name and domain.
Ransomware statistics unpacked: Why did the ransomware attack numbers go up?
Ransomware is a malicious software that restricts access to a computer system or data by encrypting files or locking systems, holding them hostage for a ransom. It’s often distributed via email phishing, social engineering, malvertising, and exploit kits. Cybercriminals then threaten to publish the company's data if the ransom isn’t paid on time.
Unfortunately, attackers won’t necessarily hand the decryption key to restore access even after the ransom is paid. Often, the systems or files will stay locked for the second ransom, leaving companies to suffer dire consequences—financial, reputational, and legal.
These attacks are one of the main cyber threats. The continued rise in incidents shows that ransomware is still effective and highly profitable, incentivizing cybercriminals to ramp up activity. In short, ransomware trends show these threats are here to stay.
According to Vakaris Noreika, cybersecurity expert at NordStellar, there are several reasons for the surge in ransomware activity. One is most likely due to the increase in ransomware-as-a-service (RaaS)—a business model providing malicious software and infrastructure for others to carry out attacks. It allows cybercriminals to scale their attacks and has lowered the entry barrier for bad actors.
Another key factor is the record-high number of active ransomware groups. Noreika explains that this number has been rising for five years, noting that in September alone, NordStellar attributed incidents to 66 different groups.
Main targets of ransomware in 2025 Q3
In this section of the ransomware report, let’s take a closer look at the targets and break them down by country, industry and business size.
By country
Firstly, let's examine the countries that were targeted. From July to September 2025, 1,943 ransomware incidents were exposed on the dark web, a 31% increase compared to the same period in 2024 (1,484 cases).
Of the 1,274 ransomware cases that could be traced to specific victim countries, US businesses took the most brutal hit, accounting for 54% of cases (686 incidents). Canada was the second most affected country, with 62 cases, followed closely by Germany (60), the United Kingdom (54), and France (35).
According to Noreika, the findings are consistent with what we have seen all year: "The US is home to numerous profitable public businesses, and this, coupled with strict regulations, makes these companies a higher-profile target for cyber-attacks. Their potential for high profitability, combined with a higher likelihood of meeting ransomware demands to resolve incidents quickly, increases the chances of success for attackers."
By industry
When analyzing ransomware statistics by industry, data from July to September 2025 revealed that the manufacturing industry was most affected, with 245 recorded cases, mirroring the results of the previous quarters. Other significantly impacted sectors included professional, scientific, and technical services with 107 ransomware incidents, information technology with 103, construction with 91, and financial services with 88.
"Companies operating in the manufacturing industry experience high operational downtime costs, making them more inclined to give in to ransomware demands to resolve the incident as soon as possible. They also often rely on outdated or unpatched software and systems and are more likely to experience supply chain vulnerabilities due to reliance on third-party vendors, partners, and logistics providers," says Noreika.
Noreika also explains that companies in the professional, scientific, and technical services industry often work with confidential customer data, intellectual property, and critical business tools, making them an attractive target for ransomware actors. He adds that businesses in the information technology industry are targeted because they handle large volumes of valuable data and are key components of the supply chain. This means that attacking them can spread ransomware to multiple businesses simultaneously.
By business size
Ransomware data from the third quarter of 2025 revealed that SMBs were the prime targets. Specifically, organizations with 51–200 employees and revenues between $5 million and $25 million experienced the most attacks.
"Ransomware actors usually perceive smaller businesses as lower-risk targets because they might lack a sophisticated IT infrastructure, operate on low cybersecurity budgets, and not have the means to investigate or report attacks to authorities," says Noreika.
He adds that companies with smaller revenues may also be more likely to meet attackers' demands, since the cost of downtime, data loss, or reputational damage from a full-blown ransomware attack could devastate the business financially. As a result, many of them could view paying the ransom as the only option, making them a more attractive target for ransomware attackers.
Veteran ransomware groups dominate the 2025 threat landscape
Qilin was responsible for the most attacks in Q3 2025, with 241 ransomware incidents, and continues to hold the number one spot from the previous quarter. It’s a Russia-linked RaaS criminal operation that works with affiliates to encrypt and exfiltrate data from the victim companies and appears.
Akira holds the second spot with 190 ransomware incidents, followed closely by INC Ransom, another ransomware group, with 146 incidents. Then follows Play with 102 incidents, and Safeplay with 92.
"Qilin, Akira, and Play are more experienced players, active from 2022-2023, and are known for their double extortion models and large victim scope. They are also more likely to keep their operations in-house, without utilizing or offering RaaS," says Noreika. "Safepay is the youngest group, first detected in the fall of last year, yet has consistently been among the top perpetrators this year. INC Ransom was first discovered in late 2023 and is generally lesser-known. However, they have also been quite consistent with their attacks this year."
According to Noreika, ransomware groups are highly organized. He explains that business leaders are not always fully aware of the danger they pose. For example, they often seek out top talent in cybersecurity or might even recruit insiders to carry out a targeted attack against an organization, making them a threat that companies cannot afford to underestimate.
Building a ransomware-resistant business
With the persistence of ransomware attack trends, it's clear that this threat is here to stay. So, what can you do to protect your business from it?
First and foremost, your employees are the first line of defense against ransomware. Cybersecurity training on phishing scams, the importance of multi-factor authentication, and password management is essential to minimize the risk of bad actors gaining access to sensitive data or infiltrating the network.
"Another important factor is monitoring and addressing unknown cybersecurity gaps. With more businesses embracing hybrid or remote work models, introducing unmanaged devices and relying on third-party vendors, the attack surface is expanding, and any endpoint can be exploited," says Noreika.
To stay ahead of attackers, he advises companies to monitor for external vulnerabilities before they are exploited, as well as any potential data leaks on the dark web, to minimize the possibility of a more sophisticated attack. Noreika emphasizes that recovery plans and backing up critical data are among the essential steps to reduce the impact of a potential ransomware incident.
Previous research data
Here you can find the main ransomware attack data from the previous quarters.
Q2: Ransomware attacks spike by 49% in the first half of 2025
The number of ransomware attacks surged by 49% in the first half of 2025 compared to the same period in 2024. In total, 4,198 cases were exposed on the dark web between January and June 2025.
Main ransomware targets:
- By Country: The United States was the most targeted nation by a large margin, accounting for 49% (596 incidents) of all attacks. This is attributed to its high concentration of profitable businesses and strict compliance laws that pressure companies to resolve incidents quickly.
- By Industry: The manufacturing sector is the most affected industry, with 229 recorded cases, often due to decentralized security and reliance on outdated, unpatched systems.
- By Business Size: Small to medium-sized businesses (SMBs) are the prime targets. These organizations often have limited cybersecurity budgets and rely on third-party IT providers, making them more vulnerable.
Who was responsible for the attacks:
- Qilin: This Russia-linked RaaS group was the most prolific, responsible for 214 incidents.
- Safepay: A relatively new group (first detected in late 2024), it was the second most active with 201 incidents.
- Akira: This group came in third with 200 recorded incidents.
