- Ransomware groups hit record highs in 2025, new report claims
- Searchlight says the number of victims also broke previous records
- The number of victims has doubled since 2024
If you thought the ransomware threat was getting worse – you’re right, as new findings in the Searchlight Ransomware H2 2025 report have revealed the extent of the problem.
The number of active ransomware groups has reached levels never seen before, with the growth rate of victims doubling since 2024.
New, more complex ransomware groups are splintering away from the big names and creating a highly competitive market for victims.
Ransomware in 2025 breaks records
The number of victims in 2025 reached a total of 7,458 – more than any previous year. However, this only represents the number of companies and organizations that disclosed that they had been subjected to a ransomware attack. The US took the brunt of the attacks with 1,536 victims disclosing attacks in 2025, followed by Canada with 182, Germany with 167 and the UK with 131.
The true number of victims, such as customers or users whose data was stolen during an attack in 2025 and leaked or sold on the dark web, is likely in the millions.
124 unique active ransomware groups were in operation in 2025, with 73 of these being new groups entering the landscape. But one group remains the most prolific threat – the Qilin. This ransomware-as-a-service (RaaS) group offers its malware for purchase, letting affiliated hackers attack organizations with a portion of the ransom paid back to the Qilin operators.
By providing an advanced ransomware kit at an affordable price, the barrier to entry into the highly profitable world of ransomware is significantly reduced. The Akira group, which also acts as a RaaS group, claimed the second largest pool of numbers with 384.
Supergroups also emerged in 2025 – cooperative operations between ransomware groups that pool their specialized skills to attack larger targets. The joint operations of Scattered Spider, LAPSUS$ and ShinyHunters are the best example of a supergroup, with this trio launching a RaaS operation as a result of their collaboration.
One of the main drivers of the growth of ransomware attacks in 2025 was the availability of AI. Many groups have used AI to create social engineering campaigns and phishing kits that are very convincing and can bring an organization to its knees with just one click.
“2025 was a record year for ransomware, driven by a professionalized ecosystem that remains devastatingly effective despite increased pressure from global law enforcement. Although we saw a very small drop in the number of victims in the second half of the year, this should not be interpreted as a victory,” said Luke Donovan, Head of Threat Cyberligence, Searchlight.
The best antivirus for all budgets
