Ransomware Attacks Surge in 2025, Driven by Russian-Linked Groups and AI Exploitation
In 2025, ransomware attacks claimed on dark-web leak sites jumped nearly 20%, reaching 6,883 incidents, while the number of leak sites themselves grew by a third to 115, according to Bitsight’s annual "State of the Underground" report. A small group of threat actors 10 in total, half tied to Russia accounted for 58% of all attacks, highlighting a concentrated cybercriminal ecosystem.
The U.S. bore the brunt of the impact, with 60% of victims located in the country, while the manufacturing sector emerged as the most targeted industry. Meanwhile, traditional data breaches declined by 41%, though Bitsight attributed the drop to reporting gaps and shifting attacker tactics rather than reduced risk. Threat actors increasingly focused on "domino-effect" targets, including critical infrastructure, defense, government, and utilities.
A sectoral shift was also evident in breach trends: educational institutions suffered the most breaches (505), followed by government (475) and IT (469) a reversal from 2024, when IT led with 1,210 breaches. The report noted that breaches in 2025 were "more distributed" across industries handling PII, operational data, and supply chain assets.
AI’s dual role in cybersecurity became more pronounced. While defenders leveraged AI tools, hackers increasingly exploited them, with 5.1 million mentions of Google’s Gemini, 1.4 million of OpenAI’s ChatGPT, and hundreds of thousands more for Claude and Grok on cybercrime forums. Poorly secured AI platforms also created new vulnerabilities: publicly exposed AI tools surged 360%, exceeding 1 million instances, with n8n and Open WebUI both plagued by serious flaws leading the rise.
Bitsight warned that the shrinking window between vulnerability discovery and exploitation demands faster response times, as both attackers and defenders race to leverage AI for advantage. The report underscored that traditional patching schedules are no longer sufficient in this accelerated threat landscape.
Source: https://www.cybersecuritydive.com/news/ransomware-data-breaches-ai-bitsight/823649/
OpenText cybersecurity rating report: https://www.rankiteo.com/company/opentext
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
Bitsight cybersecurity rating report: https://www.rankiteo.com/company/bitsight
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "OPEOPEBITGOO1782318372",
"linkid": "opentext, openai, bitsight, google",
"type": "Vulnerability",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'manufacturing',
'location': 'U.S.',
'type': 'sector'},
{'industry': 'education', 'type': 'sector'},
{'industry': 'government', 'type': 'sector'},
{'industry': 'IT', 'type': 'sector'},
{'industry': ['critical infrastructure',
'defense',
'utilities'],
'type': 'sector'}],
'attack_vector': ['AI exploitation',
'vulnerable AI platforms',
'dark-web leak sites'],
'data_breach': {'personally_identifiable_information': 'PII',
'type_of_data_compromised': ['PII',
'operational data',
'supply chain assets']},
'date_detected': '2025',
'description': 'In 2025, ransomware attacks claimed on dark-web leak sites '
'jumped nearly 20%, reaching 6,883 incidents, while the number '
'of leak sites grew by a third to 115. A small group of threat '
'actors (10 in total, half tied to Russia) accounted for 58% '
'of all attacks. The U.S. bore the brunt of the impact, with '
'60% of victims, while the manufacturing sector was the most '
'targeted. Traditional data breaches declined by 41%, though '
'reporting gaps and shifting attacker tactics were noted. '
'Threat actors increasingly targeted critical infrastructure, '
"defense, government, and utilities. AI's dual role in "
'cybersecurity became more pronounced, with hackers exploiting '
'AI tools and poorly secured AI platforms creating new '
'vulnerabilities.',
'impact': {'data_compromised': ['PII',
'operational data',
'supply chain assets'],
'operational_impact': 'disruption of critical infrastructure, '
'defense, government, and utilities'},
'lessons_learned': 'The shrinking window between vulnerability discovery and '
'exploitation demands faster response times. Traditional '
'patching schedules are no longer sufficient in this '
'accelerated threat landscape.',
'motivation': ['financial gain', 'disruption of critical infrastructure'],
'post_incident_analysis': {'root_causes': ['AI exploitation by hackers',
'poorly secured AI platforms',
'concentrated cybercriminal '
'ecosystem']},
'references': [{'date_accessed': '2025',
'source': "Bitsight’s annual 'State of the Underground' "
'report'}],
'threat_actor': ['Russian-linked groups', 'cybercriminals'],
'title': 'Ransomware Attacks Surge in 2025, Driven by Russian-Linked Groups '
'and AI Exploitation',
'type': ['ransomware', 'data_breach'],
'vulnerability_exploited': ['poorly secured AI tools',
'n8n flaws',
'Open WebUI flaws']}