The global cybersecurity landscape witnessed a profound and concerning evolution in 2025, marked by a significant escalation in ransomware attacks and a strategic pivot by cybercriminal syndicates towards "encryptionless extortion." This shift, alongside the opportunistic timing of operations around year-end staffing vulnerabilities, signals a more sophisticated and adaptable threat environment for organizations worldwide. New research from NordStellar reveals a staggering 45% increase in ransomware incidents from 2024 to 2025, with total cases climbing from 6,395 to 9,251. This surge was particularly pronounced in the final quarter of the year, culminating in December’s record-high of 1,004 incidents, underscoring a calculated exploitation of reduced cybersecurity vigilance during holiday periods.
The Escalating Threat: A New Era of Extortion
The traditional modus operandi of ransomware, which primarily involved encrypting an organization’s files and demanding a ransom for the decryption key, is increasingly being augmented or entirely replaced by tactics focused solely on data exfiltration and public shaming. This "encryptionless extortion" leverages the threat of exposing sensitive stolen data on leak sites or selling it to competitors, providing a powerful alternative leverage point even when encryption fails or is easily mitigated by robust backups. This strategic evolution highlights the attackers’ growing understanding of data privacy regulations, reputational damage, and the inherent value of proprietary information.
Complementary analysis from industry giants Symantec and Carbon Black’s Threat Hunter Team further corroborates this trend. Their joint report indicated 4,737 publicly claimed ransomware attacks in 2025, a slight increase from 4,701 in 2024. However, when the broader category of "extortion activity" – encompassing incidents where data was exfiltrated for ransom without file encryption – was included, the total soared to 6,182 attacks. This 23% year-over-year increase in overall extortion activity underscores the widening scope of cyber threats and the diverse methods employed by malicious actors to monetize their intrusions. The distinction between these reporting methodologies suggests a potential undercounting of the true scale of the problem, as many organizations might not publicly disclose incidents where data was merely stolen without system disruption.
Shifting Tides: The Rise of Encryptionless Attacks
The move away from traditional file encryption represents a significant tactical shift for ransomware groups. Historically, encryption was the cornerstone of ransomware, disrupting operations and forcing victims to pay to regain access to their systems. However, as organizations have improved their backup and recovery strategies, and law enforcement agencies have developed tools to decrypt files from certain ransomware variants, the efficacy of encryption-only attacks has diminished. Cybercriminals have adapted by focusing on the data itself. By exfiltrating sensitive information – ranging from intellectual property and financial records to customer data and employee PII – and threatening to publish or sell it, attackers create immense pressure on victims, irrespective of their ability to restore encrypted systems.
This "double extortion" model, where data is both encrypted and exfiltrated, has been a prevalent strategy for several years. The emerging "encryptionless extortion" takes this a step further, demonstrating that even without the debilitating impact of system-wide encryption, the threat of data exposure alone is often sufficient to compel payment. This approach streamlines the attack process for criminals, potentially reducing the technical complexity of large-scale encryption operations and making their attacks harder to detect through traditional endpoint security measures focused on encryption activity. Furthermore, it exploits the increasing regulatory landscape surrounding data breaches, such as GDPR and CCPA, where fines for data exposure can be substantial, making a ransom payment appear to be the lesser of two evils for many victim organizations.
A Year in Review: Chronology of 2025 Ransomware Trends
The year 2025 presented a dynamic and challenging timeline for cybersecurity professionals. The upward trend in ransomware incidents was consistent throughout the year, with NordStellar’s Vakaris Noreika noting that "the trend has been upward the whole year." This continuous pressure was punctuated by a dramatic escalation in the final quarter, particularly in December, which registered 1,004 incidents. This spike aligns with the observation that ransomware groups strategically exploit "end-of-year cybersecurity gaps caused by reduced staffing and monitoring." During holiday seasons and annual leave periods, security teams often operate with reduced personnel, potentially leading to slower detection, analysis, and response times. Attackers meticulously plan their campaigns to coincide with these windows of vulnerability, maximizing their chances of successful intrusion and prolonged dwell time within compromised networks.
This year-end surge is not an isolated phenomenon but rather a recurring pattern observed in previous years, which cybercriminals have now perfected. The impact of such timed attacks can be devastating, as organizations find themselves in crisis mode when resources are stretched thin, exacerbating operational disruptions and increasing the likelihood of succumbing to extortion demands. The continuous nature of the threat throughout 2025, culminating in this late-year explosion, paints a clear picture of an unrelenting and highly organized cybercriminal ecosystem.
Manufacturing Under Siege: A Sectoral Breakdown
Manufacturing organizations bore the brunt of ransomware activity in 2025, experiencing more incidents than any other sector. NordStellar data indicated that manufacturing accounted for a significant 19.3% of all ransomware incidents, translating to 1,156 attacks recorded during the year. This represents a substantial 32% increase from 2024, highlighting a targeted and escalating assault on the industrial sector. In stark contrast, the education sector, while still a target, accounted for a much smaller proportion, at 3.6% of attacks in 2025.
The vulnerability of the manufacturing sector stems from several critical factors. Manufacturers often operate complex environments that integrate legacy operational technology (OT) systems with modern IT networks. These OT systems, vital for production, are frequently less secure, difficult to patch, and may have extended lifecycles, making them prime targets. A successful ransomware attack on a manufacturing facility can halt production lines, disrupt global supply chains, and lead to massive financial losses due to downtime, reputational damage, and contractual penalties. The interconnectedness of modern supply chains means an attack on one manufacturer can have cascading effects across an entire industry.
Furthermore, smaller manufacturing firms were disproportionately affected. Companies with up to 200 employees and annual revenue of $25 million or less were targeted more frequently than larger enterprises. As Noreika aptly noted, "SMBs are attractive targets for ransomware attacks because they often lack security staff and tools and operate within limited cybersecurity budgets." These smaller entities are also more likely to rely on outdated software, possess limited security monitoring capabilities, and often outsource their IT support, creating multiple points of vulnerability that sophisticated ransomware groups are adept at exploiting. Their perceived inability to mount robust defenses and their critical role in larger supply chains make them lucrative and accessible targets.
Geographic Hotbeds: The Global Landscape of Cyber Extortion
Geographically, the United States remained the primary target for ransomware attacks, accounting for a staggering 64% of reported cases worldwide. NordStellar tracked 3,255 attacks against U.S.-based organizations, marking a 28% increase from the previous year. This concentration can be attributed to several factors, including the U.S.’s large economy, its high degree of digitalization, and the perceived willingness of U.S. companies to pay ransoms. The extensive adoption of cloud services and interconnected business processes also presents a broader attack surface for cybercriminals.
Beyond the U.S., Canada and Germany also experienced sharp increases in ransomware activity. Canada, with its strong economic ties to the U.S. and similar technological infrastructure, often faces parallel threats. Germany, a major industrial powerhouse in Europe, presents an attractive target due to its significant manufacturing sector and advanced technological industries, aligning with the broader trend of targeting industrial organizations. These geographical concentrations underscore the global nature of the ransomware threat, while also highlighting specific regions that are either particularly lucrative or strategically vulnerable to cybercriminal operations. The international nature of these attacks necessitates robust cross-border collaboration between law enforcement agencies and cybersecurity intelligence firms to track and disrupt these highly mobile threat actors.
Ransomware Ecosystem in Flux: The Rise and Fall of Cybercriminal Syndicates
The year 2025 was characterized by significant shifts within the ransomware-as-a-service (RaaS) ecosystem. Several established and prominent groups either shut down or faced major disruptions, creating a vacuum that newer operations quickly filled by absorbing displaced affiliates and refining their attack methodologies. This dynamic environment reflects ongoing pressure from law enforcement, internal conflicts, and the continuous evolution of cybercriminal tactics.
Qilin emerged as the most active ransomware operation, demonstrating aggressive growth with 1,066 cases, an astounding 408% increase from 2024. This rapid expansion signals Qilin’s effective recruitment of affiliates and successful exploitation of new vulnerabilities. Following closely was Akira, which recorded 947 cases, representing a 125% increase year over year. The rapid rise of these groups often correlates with sophisticated RaaS platforms offering advanced tools, lucrative revenue-sharing models, and robust operational security for their affiliates.
Conversely, some high-profile ransomware groups faced significant setbacks. RansomHub, which had been a leading force in ransomware activity earlier in the year, went offline in April 2025 following reported internal disagreements. This often happens in decentralized RaaS models, where disputes over revenue, operational security, or leadership can lead to fragmentation and collapse. More significantly, LockBit, once considered the most prolific ransomware group, had already ceased operations following major disruptions in late 2024. This disruption was largely attributed to "Operation Cronos," a coordinated international law enforcement effort that seized LockBit’s infrastructure, arrested key members, and released decryption tools. While such takedowns provide temporary relief, the RaaS model’s resilience means that affiliates quickly migrate to new platforms, leading to the rapid emergence of groups like Qilin and Akira.
Symantec’s research further highlighted the proliferation of ransomware entities, identifying 134 active ransomware groups in 2025, a 30% increase from the 103 groups tracked in 2024. This growing number underscores the low barrier to entry for cybercriminals, the profitability of ransomware, and the continuous churn within the ecosystem, where new groups emerge as quickly as old ones are dismantled or dissolve.
Zero-Day Exploits and Blurring Lines: Advanced Tactics and State-Sponsored Concerns
The tactical evolution of ransomware groups in 2025 also included a heightened reliance on exploiting zero-day vulnerabilities – previously unknown flaws in software that vendors have not yet patched. The Snakefly group, known for operating Cl0p ransomware, played a prominent role in this regard, leveraging zero-day exploits in enterprise software to gain initial access to victim networks. A notable instance occurred in October 2025 when the group targeted users of Oracle E-Business Suite through a critical vulnerability, CVE-2025-61882, which Symantec reported had been actively exploited since August. Such exploits allow attackers to bypass conventional defenses, making detection and prevention extremely challenging.
Adding another layer of complexity to the threat landscape was the emergence of Warlock ransomware. First observed in June 2025 and gaining significant attention the following month, Warlock exploited a zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770. What distinguished Warlock was its apparent origin. Researchers noted that Warlock seemed to originate from China, a departure from the traditional ransomware strongholds typically associated with Eastern Europe and Russia. This geographical shift raises significant concerns, particularly given Symantec’s assessment: "The involvement of Chinese espionage actors in ransomware is a growing phenomenon." The report further elaborated, stating, "The attackers behind Warlock appear to be a different breed of cybercriminal, where cybercrime is one of the group’s core activities and not a sideline." This observation suggests a blurring of lines between financially motivated cybercrime and state-sponsored espionage, where ransomware could be used not only for monetary gain but also for intelligence gathering, disruptive purposes, or as a deniable front for nation-state objectives. This hybridization of threats complicates attribution and response, demanding a more nuanced approach from defensive organizations and national security agencies.
Defensive Imperatives: Preparing for an Unrelenting Future
Looking ahead, security researchers are unanimous in their prediction that ransomware pressure will continue its relentless ascent. Vakaris Noreika of NordStellar starkly warned, "Given the surge in 2025, ransomware incidents in 2026 are likely to exceed 12,000." This forecast underscores the urgent need for organizations to fundamentally reassess and bolster their cybersecurity postures. Businesses, particularly SMBs and those operating in critical infrastructure sectors where operational downtime is simply unacceptable, must be on high alert and proactively enhance their preparedness to combat evolving ransomware threats.
The fundamental principles of cybersecurity remain paramount, even as attack techniques grow more sophisticated. Security firms universally recommend a suite of basic, yet critical, controls to limit disruption when attacks inevitably succeed. These include:
- Regular Patching and Updates: Promptly applying security patches to all software and operating systems to close known vulnerabilities, including those exploited by zero-day attacks once patches are available.
- Multi-Factor Authentication (MFA): Implementing MFA across all accounts, especially for remote access and privileged accounts, to significantly reduce the risk of unauthorized access even if credentials are stolen.
- Robust Offline Backups: Maintaining isolated, immutable, and regularly tested offline backups of critical data. This ensures that even if primary systems are encrypted or data is exfiltrated, organizations can restore operations without paying a ransom.
- Network Segmentation: Dividing networks into smaller, isolated segments to contain the lateral movement of attackers and limit the impact of a breach.
- Employee Training and Awareness: Regularly educating employees about phishing, social engineering, and safe cybersecurity practices, as human error remains a leading cause of initial compromise.
- Incident Response Planning: Developing and regularly testing comprehensive incident response plans to ensure a swift, coordinated, and effective reaction to a ransomware attack.
- Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) Solutions: Deploying advanced security tools that can detect and respond to suspicious activities in real-time, including data exfiltration attempts.
The escalating and evolving nature of ransomware demands a proactive, layered defense strategy. Organizations can no longer afford to be reactive; they must assume they will be targeted and invest in resilience. The economic and reputational costs of a successful ransomware attack far outweigh the investments required for robust prevention and recovery mechanisms. As the lines between cybercrime and nation-state activity continue to blur, and the tactics of extortionists become more varied, a comprehensive and continuously adapted cybersecurity strategy is not merely advisable but an absolute imperative for survival in the digital age.
For a more comprehensive understanding of these trends and detailed statistics, interested parties are encouraged to visit the NordStellar site and review their full report on ransomware statistics.
