Research: Ransomware attacks spike by 49% in the first half of 2025

Our recent study reveals that the number of ransomware incidents has almost doubled compared to last year. In January-June of 2025, 4,198 ransomware cases were exposed on the dark web, highlighting an alarming 49% increase from the 2,809 cases recorded in 2024. In particular, US organizations and small to medium-sized businesses (SMBs) were the primary targets of these attacks.

So, what drove this increase, who’s responsible for the majority of these attacks, and how can you prevent them? Let’s make sense of these ransomware statistics.

Methodology

We continuously monitor over 200 blogs operated by ransomware groups. The ransomware data available on these blogs typically includes the names of the attacked companies, descriptions of the incidents, and sometimes samples of the stolen files to prove the legitimacy of the attack. These groups publish their victims as a tactic to pressure them into paying the ransom. They often include a countdown timer, after which they threaten to leak the stolen data if the ransom is not paid.

Once a company is identified from a ransomware listing, we conduct further research to gather firmographic data. While the total number of 1,758 ransomware attacks in Q2 2025 is accurate, the figures presented in each category (industry, company size, and country) may be slightly higher due to a smaller sample size. This is because a number of incidents were missing data needed for categorization and thus were omitted.

We utilize various publicly accessible business data sources to identify general organizational attributes, such as industry, geographic region, size, and revenue bracket, using the company name and domain.

Ransomware statistics unpacked: Why did the ransomware attack numbers go up?

Ransomware is a malicious software that restricts access to a computer system or data by encrypting files or locking systems, holding them hostage for a ransom. It’s often distributed via email phishing, other social engineering, malvertising, and exploit kits. Cybercriminals then threaten to publish the company's data if the ransom isn’t paid on time.

Unfortunately, attackers won’t necessarily hand the decryption key to restore access even after ransom is paid. Often, the systems or files will stay locked for the second ransom, leaving multiple companies to suffer dire consequences—financial, reputational, and legal.

Being what it is, ransomware attacks are one of the main cyber threats. Yet the fact that the number of ransomware attacks has doubled halfway into this year signals that these attacks remain effective and profitable enough for cybercriminals to ramp up their efforts. As a result, such ransomware trends show that they are here to stay.

Vakaris Noreika, a cybersecurity expert at NordStellar, notes several reasons for such an increase:

Let’s look at each in more detail:

RaaS is a business model that provides malicious software and infrastructure to individuals or groups who then carry out the attacks. This allows a lower entry barrier for cybercriminals, as now they don’t need to possess any technical expertise to develop ransomware software themselves.

The shift to remote or hybrid work models has also expanded the attack surface, introducing new vulnerabilities for cybercriminals to exploit. Meaning that the number of endpoints, networks, and other software used by remote employees increased and with it, the strain on security teams to maintain comprehensive protection. Moreover, people are more likely to integrate personal and home devices into the workplace network, opening yet another new potential entry point for attackers.

Lastly, like at any time in history during economic uncertainty, people will be more likely to engage in illegal activities due to financial desperation. Coupled with the rise of RaaS and technological advancements, ransomware becomes an attractive solution that offers high rewards with potentially low effort.

Main targets of ransomware in 2025 Q2

In this section of the ransomware report, let’s take a closer look at the targets and break them down by country, industry and business size.

By country

Firstly, let's examine the countries that were targeted. In April-June 2025, 1,758 ransomware incidents were exposed on the dark web, a 19% increase compared to the same period in 2024 (1,483 cases).

Of the 1,205 ransomware cases that could be traced to specific victim countries, US businesses took the most brutal hit, accounting for 49% of cases (596 incidents). Germany was the second most affected country, with 84 cases, followed by Canada (74), the United Kingdom (40), and Spain (37).

So, why the US? Well, it’s home to many profitable businesses, which makes them a higher-profile target for cyberattacks. As a result, they are more likely to give in to ransomware demands in hopes to reduce the looming reputational damage and potential financial losses.

Yet another, somewhat surprising, reason is that strict compliance regulations, laws on data protection and operational uptime can pressure companies to resolve ransomware incidents as quickly as possible, so as not to risk fines or loss of their clients' and partners’ trust.

By industry

When analyzing ransomware statistics by industry, data from April to June 2025 revealed that the manufacturing industry was most affected, with 229 recorded cases. The construction industry came in second with 97 cases, followed closely by information technology with 88 ransomware incidents.

One of the main reasons companies in the manufacturing industry were severely impacted is that they often struggle to enforce and centralize security across their geographically dispersed locations. Additionally, many manufacturing companies rely on outdated and unpatched systems, which can be exploited by cybercriminals.

By business size

In terms of business sizes, ransomware data from the second quarter of 2025 revealed that SMBs were the prime target for ransomware threats. Specifically, organizations with 51–200 employees and revenues between $5 million and $25 million experienced the most attacks.

Noreika noted that there’s also a similarity between these two targets:

Similarly, SMBs, like manufacturing companies, often rely on third-party IT providers and lack comprehensive cybersecurity measures due to limited budgets, exposing them to greater risk.

Who’s responsible for these attacks?

The ransomware group Qilin was responsible for the most attacks in 2025 Q2, with 214 ransomware incidents. It’s a RaaS criminal operation that works with affiliates to encrypt and exfiltrate data from the victim companies and appears to be linked to Russia.

Safepay holds the second spot with 201 ransomware incidents, followed closely by Akira, another ransomware group, with 200 incidents.

Safepay is the newest of the three gangs, with our team first detecting their activity in fall 2024. Their attacks significantly increased in the second quarter of 2025, with a spike in May, when we detected 158 ransomware incidents alone.

Building a ransomware-resistant business

With the persistence of ransomware attack trends, it's clear that this threat is here to stay. So, what can be done to protect your business from it?

First and foremost, your employees are the first line of defense against ransomware. Cybersecurity training on phishing scams, the importance of multi-factor authentication, and password management is essential to minimize the risk of bad actors gaining access to sensitive data or infiltrating the network.

To minimize the impact of a potential ransomware incident, Noreika recommends that businesses stay two steps ahead, implement recovery plans, and always back up critical data.