Ransomware and Supply Chain Attacks Hit Record Highs in 2025, Signaling Escalating Threats
2025 marked a sharp escalation in cyber threats, with ransomware and supply chain attacks reaching unprecedented levels, according to a new report from threat intelligence firm Cyble. The year saw 6,604 ransomware attacks a 52% increase over 2024 with December alone recording 731 incidents, the second-highest monthly total of the year. Meanwhile, supply chain attacks surged by 93%, rising from 154 in 2024 to 297 in 2025, as threat actors increasingly exploited third-party vulnerabilities to maximize impact.
Ransomware Groups Adapt and Expand
Ransomware operations remained decentralized and resilient, with affiliates quickly regrouping under new leaders following law enforcement disruptions. Qilin emerged as the dominant group in 2025, claiming 17% of all ransomware victims after RansomHub’s decline likely due to sabotage by rival group Dragonforce. Other top players included Akira, CL0P, Play, and the newcomer Sinobi, with only Akira and Play maintaining their positions from 2024.
Cyble documented 57 new ransomware groups, 27 extortion groups, and over 350 new ransomware strains in 2025, many derived from MedusaLocker, Chaos, and Makop families. Among the most aggressive new groups, Devman, Sinobi, Warlock, and Gunra disproportionately targeted critical infrastructure, particularly in government, law enforcement, energy, and utilities.
Supply Chain Attacks Evolve in Sophistication
Supply chain attacks not only doubled but also grew in complexity, moving beyond traditional software package poisoning to exploit cloud integrations, SaaS trust relationships, and vendor distribution pipelines. Attackers increasingly abused upstream services such as identity providers and package registries to compromise downstream environments at scale.
A notable example involved attacks on Salesforce via third-party integrations, where threat actors weaponized OAuth-based trust relationships after compromising third-party tokens. Every industry tracked by Cyble was affected, but IT and technology sectors bore the brunt, given their potential to amplify attacks across customer networks.
Geographic and Industry Targeting
The U.S. remained the most targeted nation, accounting for 55% of all ransomware attacks, followed by Canada, Germany, the UK, Italy, and France. By industry, construction, professional services, and manufacturing were the hardest hit, with healthcare and IT also facing significant threats.
As 2026 begins, the trends suggest no immediate slowdown, with ransomware and supply chain attacks continuing to evolve in both scale and sophistication.
Source: https://thecyberexpress.com/ransomware-and-supply-chain-attacks-set-record/
QILIN cybersecurity rating report: https://www.rankiteo.com/company/qilin
CybelAngel cybersecurity rating report: https://www.rankiteo.com/company/cybelangel
Salesforce cybersecurity rating report: https://www.rankiteo.com/company/salesforce
Halcyon cybersecurity rating report: https://www.rankiteo.com/company/halcyonai
Playworld Inc. cybersecurity rating report: https://www.rankiteo.com/company/playworld-systems
"id": "QILCYBSALHALPLA1768955694",
"linkid": "qilin, cybelangel, salesforce, halcyonai, playworld-systems",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['government',
'law enforcement',
'energy',
'utilities',
'IT',
'healthcare',
'construction',
'professional services',
'manufacturing'],
'location': ['U.S.',
'Canada',
'Germany',
'UK',
'Italy',
'France'],
'type': ['government',
'law enforcement',
'energy',
'utilities',
'IT',
'healthcare',
'construction',
'professional services',
'manufacturing']}],
'attack_vector': ['third-party vulnerabilities',
'cloud integrations',
'SaaS trust relationships',
'OAuth-based trust relationships',
'software package poisoning'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2025',
'date_publicly_disclosed': '2025',
'description': '2025 marked a sharp escalation in cyber threats, with '
'ransomware and supply chain attacks reaching unprecedented '
'levels. The year saw 6,604 ransomware attacks (a 52% increase '
'over 2024) and a 93% surge in supply chain attacks (from 154 '
'in 2024 to 297 in 2025). Threat actors exploited third-party '
'vulnerabilities, cloud integrations, SaaS trust '
'relationships, and vendor distribution pipelines to maximize '
'impact.',
'impact': {'systems_affected': ['government',
'law enforcement',
'energy',
'utilities',
'IT',
'healthcare',
'construction',
'professional services',
'manufacturing']},
'motivation': ['financial gain',
'data exfiltration',
'disruption of critical infrastructure'],
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['Qilin',
'Akira',
'CL0P',
'Play',
'Sinobi',
'Devman',
'Warlock',
'Gunra',
'MedusaLocker',
'Chaos',
'Makop']},
'references': [{'date_accessed': '2025', 'source': 'Cyble'}],
'threat_actor': ['Qilin',
'Akira',
'CL0P',
'Play',
'Sinobi',
'Devman',
'Warlock',
'Gunra',
'Dragonforce',
'MedusaLocker',
'Chaos',
'Makop'],
'title': 'Ransomware and Supply Chain Attacks Surge in 2025',
'type': ['ransomware', 'supply chain attack'],
'vulnerability_exploited': ['third-party tokens',
'upstream services',
'package registries',
'vendor distribution pipelines']}