Ransomware Attacks Hit Record Highs in 2025 Despite Major Disruptions
A new study by Symantec and the Carbon Black Threat Hunter Team reveals that ransomware attacks surged to unprecedented levels in 2025, with threat actors adapting rapidly to law enforcement crackdowns and evolving their extortion tactics.
The report documented 4,737 claimed ransomware attacks the highest annual total on record despite the collapse of two major operations. RansomHub, the most active group at the time, abruptly shut down in April 2025, causing a brief dip in activity. However, former affiliates quickly migrated to other groups, restoring attack volumes within weeks. LockBit (tracked as Syrphid) also failed to recover after late-2024 law enforcement actions.
New leaders emerged to fill the void. Akira and Qilin each accounted for 16% of attacks, while Inc, Safepay, and the newly identified DragonForce contributed smaller but significant shares. The fluid movement of affiliates, access brokers, and tooling between groups sustained overall activity levels.
Beyond traditional encryption-based ransomware, extortion campaigns without encryption surged in 2025. These attacks focused on data theft and public leaks pushed total extortion incidents to 6,182, a 23% increase from 2024. Snakefly’s Cl0p operation played a key role, exploiting vulnerabilities in enterprise software to target government and industrial sectors at scale.
Social engineering also became a dominant attack vector, with groups like ShinyHunters and Scattered Spider using phone-based impersonation, credential harvesting, and OAuth abuse to breach cloud environments. Attackers tricked employees into authorizing malicious apps or sharing authentication codes, reducing reliance on malware.
A new ransomware strain, Warlock, drew attention for its ties to older espionage tooling. Exploiting a zero-day in Microsoft SharePoint and using DLL sideloading, Warlock incorporated components linked to Chinese state-sponsored activity, blending ransomware with broader intrusion campaigns.
Despite these shifts, attack chains remained consistent. Threat actors relied on "living off the land" techniques, leveraging PowerShell, remote management tools, and credential dumping to evade detection. Malware often appeared late in the intrusion, just before encryption or data theft.
The findings underscore how ransomware operations continue to thrive, even as law enforcement disrupts key players, by diversifying extortion methods and exploiting shared infrastructure.
Source: https://www.helpnetsecurity.com/2026/01/16/ransomware-attacks-extortion-trends/
Qilin TPRM report: https://www.rankiteo.com/company/qilin
Akira TPRM report: https://www.rankiteo.com/company/akira-technologies-inc
LockBit TPRM report: https://www.rankiteo.com/company/lockbitscl
DragonForce TPRM report: https://www.rankiteo.com/company/drakontas-llc
Safepay TPRM report: https://www.rankiteo.com/company/safepay-limited
"id": "qilakilocdrasaf1768585619",
"linkid": "qilin, akira-technologies-inc, lockbitscl, drakontas-llc, safepay-limited",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['government',
'industrial',
'cloud services'],
'type': ['government', 'industrial', 'enterprise']}],
'attack_vector': ['social engineering',
'zero-day exploit',
'DLL sideloading',
'OAuth abuse',
'credential harvesting',
'phone-based impersonation',
'vulnerability exploitation'],
'data_breach': {'data_encryption': ['partial',
'none (extortion-only attacks)'],
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information',
'corporate data']},
'date_detected': '2025',
'date_publicly_disclosed': '2025',
'description': 'A new study by Symantec and the Carbon Black Threat Hunter '
'Team reveals that ransomware attacks surged to unprecedented '
'levels in 2025, with threat actors adapting rapidly to law '
'enforcement crackdowns and evolving their extortion tactics. '
'The report documented 4,737 claimed ransomware attacks, the '
'highest annual total on record, despite the collapse of two '
'major operations. Extortion campaigns without encryption also '
'surged, pushing total extortion incidents to 6,182, a 23% '
'increase from 2024.',
'impact': {'data_compromised': '6,182 extortion incidents (23% increase from '
'2024)'},
'initial_access_broker': {'entry_point': ['social engineering',
'zero-day exploits',
'vulnerabilities'],
'high_value_targets': ['government',
'industrial sectors']},
'lessons_learned': 'Ransomware operations continue to thrive despite law '
'enforcement disruptions by diversifying extortion '
'methods, exploiting shared infrastructure, and leveraging '
'social engineering and zero-day exploits.',
'motivation': ['financial gain', 'data theft', 'espionage'],
'post_incident_analysis': {'root_causes': ['law enforcement disruptions '
'leading to affiliate migration',
'exploitation of zero-day '
'vulnerabilities',
'social engineering tactics',
'living off the land techniques']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['RansomHub',
'LockBit',
'Akira',
'Qilin',
'Inc',
'Safepay',
'DragonForce',
'Warlock']},
'references': [{'date_accessed': '2025',
'source': 'Symantec and Carbon Black Threat Hunter Team '
'Report'}],
'threat_actor': ['RansomHub',
'LockBit (Syrphid)',
'Akira',
'Qilin',
'Inc',
'Safepay',
'DragonForce',
'Snakefly (Cl0p)',
'ShinyHunters',
'Scattered Spider',
'Warlock'],
'title': 'Ransomware Attacks Hit Record Highs in 2025 Despite Major '
'Disruptions',
'type': ['ransomware', 'extortion'],
'vulnerability_exploited': ['Microsoft SharePoint zero-day',
'enterprise software vulnerabilities']}