Ransomware Attack Surge Continues in 2025
The upward trend in ransomware attacks in 2024 has continued in 2025 with large numbers of new victims added to ransomware groups’ data leak sites in January and February. A recent report from the cybersecurity firm Cyble shows there were at least 599 new additions to data leak sites in the first 27 days of February, an increase from 518 new additions in January, despite February being a shorter month.
The majority of the victims are based in the United States, with the victim count up 149% compared to the first 5 weeks of 2024. Over the first five weeks of 2024, 282 new U.S. victims were added to data leak sites, with the victim count rising to 378 in 2025. There has also been a significant increase in attacks on Canadian companies, rising from 14 attacks in the first 5 weeks of 2024 to 46 attacks in 2025. While attacks in North America continue to increase, there has been relatively little change in the numbers of attacks in other countries.
Cycle suggests the increase in attacks in North America is most likely due to the belief among ransomware groups that attacks in the region are more likely to see ransoms paid than attacks elsewhere. This could be due to several highly publicized attacks in 2024 where victims paid sizeable ransom payments. Data from Chainalysis indicates growing reluctance to pay ransom payments, with ransom payments down 35% year-over-year; however, that could spur ransomware groups to conduct even more attacks with the focus switching to quantity rather than quality.
At the start of 2024, LockBit was the most prolific group; however, a law enforcement operation against the group caused significant disruption and LockBit never fully recovered from the operation, with attack volume throughout 2024 nowhere near the level prior to the law enforcement operation. The group lost several experienced affiliates which switched to other groups. RansomHub actively recruited affiliates from LockBit and the now defunct ALPHV/BlackCat group and grew rapidly, becoming the most prolific group in 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This year, RansomHub has dropped to 5th place behind Cl0p (81), Akira (63), Lynx (32), and Qilin (29), with RansomHub only believed to have conducted 23 attacks. Cyble warns that LockBit is planning a comeback and may once again become the most active group this year.
Healthcare continues to be one of the most targeted sectors, with at least 33 attacks so far in 2025, behind construction (50) and professional services (47); sectors that have traditionally had relatively poor security. Attacks on IT and IT services companies are continuing in relatively high numbers (29), suggesting targeting due to the potential for attacks on their downstream clients.
With attack volume up year over year, it is clear that ransomware is here to stay, which means businesses need to continue to focus on strengthening their defenses, starting with improvements to baseline security. “Getting the basics right can go a long way toward reducing risk and limiting any cyberattacks that do occur,” suggests Cyble.
