The ransomware landscape in 2025 has reached new heights, evolving from a cybersecurity issue into a strategic threat to national security and global economic stability.
This year saw a 34%-50% surge in attacks compared with 2024, with 4,701 confirmed incidents globally between January and September alone, underscoring ransomware as one of the most persistent and devastating cyber threats in modern history.
However, beneath the surface of these alarming statistics lies a paradox: while attack volumes have soared, ransom payment rates have plummeted to historic lows of 23-25%, forcing threat actors to reimagine their business models and extortion tactics fundamentally.
The year 2025 has been characterized by a dramatic fragmentation of the ransomware ecosystem following law enforcement disruptions of major operations such as LockBit and ALPHV/BlackCat, resulting in 45 newly observed groups and pushing the total number of active extortion operations to a record-breaking 85 distinct threat actors.
This decentralization has coincided with sophisticated evolutions in attack methodologies, including the widespread adoption of double and triple extortion tactics, AI-enhanced phishing campaigns, and targeted exploitation of cloud infrastructure and operational technology systems.
Most concerning has been the deliberate targeting of critical infrastructure sectors, with manufacturing, healthcare, energy, transportation, and finance accounting for 50% of all attacks, demonstrating how ransomware has transcended its criminal origins to become a weapon capable of destabilizing entire industries and threatening public safety.
The 2025 Ransomware Threat Landscape
Unprecedented Attack Volume and Global Reach
The ransomware economy in 2025 experienced a watershed moment, marked by unprecedented attack frequency and collapsing financial returns for cybercriminals. Between January and September 2025, researchers documented 4,701 confirmed ransomware incidents worldwide, representing a 34% increase over the same period in 2024.
By October, the cumulative total reached 6,330 cases exposed on dark web leak sites, a staggering 47% increase from the 4,293 cases recorded during the equivalent timeframe in 2024. This surge resulted in organizations experiencing an average of 1,984 cyberattacks per week in Q2 2025, with ransomware accounting for a significant share of these attacks.
Monthly trends revealed sustained escalation throughout the year. Ransomware attacks climbed to 623 incidents in October 2025 alone, up more than 30% from September and representing the second-highest monthly total on record, exceeded only by February 2025’s peak.
This marked the sixth consecutive monthly increase in ransomware activity, underscoring the persistent and accelerating nature of the threat. The global cadence of attacks reached such intensity that by Q3 2025, an organization somewhere in the world fell victim to ransomware approximately every 19 seconds on average.
Geographic targeting remained heavily concentrated in economically developed nations. The United States continued to bear the brunt of global ransomware activity, accounting for approximately 1,000 incidents, roughly 21% of all attacks in 2025.
Following the United States, Canada experienced 361 attacks, the second-most of any nation, followed by Germany, the United Kingdom, and Italy.
Of particular concern was the emergence of Australia as a top-five target, with the country experiencing a 67% increase in overall attack numbers as its rich resources and high per-capita GDP made it an increasingly attractive target for threat actors.
The Payment Rate Collapse: A Crisis for Cybercriminals
While attack volumes soared, the ransomware business model faced an existential crisis as victim organizations increasingly refused to pay extortion demands. In Q3 2025, only 23% of ransomware victims paid a ransom, with the rate dropping to a mere 19% for data theft incidents that involved no encryption.
By Q4 2024, incident response firm Coveware reported that the percentage of victims who paid ransoms fell to an all-time low of 25%, meaning three out of every four organizations were able to restore operations and manage incidents without funding criminals.
This dramatic decline in payment rates resulted from the convergence of three powerful forces: improved backup and recovery capabilities that reduced organizations’ dependence on paying for decryption keys, growing awareness that paying ransoms often fails to prevent data leaks or guarantee file recovery, and increasingly robust cybersecurity postures that enable faster detection and response.
The trend represented the most significant existential threat to the ransomware business model, as the crime relies fundamentally on a simple return-on-investment calculation. When conversion rates plummet, the entire economic model begins to fail, forcing attackers to work exponentially harder for each dollar obtained.
The financial impact was stark. Despite more attacks, total ransomware revenues fell by more than one-third year over year, with global payments declining from an estimated $1.1 billion in 2023 to approximately $813.6 million in 2024.
Average ransom payments in Q3 2025 plummeted to $376,941, down 66% from Q2 2025, while median payments fell 65% to $140,000. This reflected the intersecting dynamics of declining payment propensity and a fundamental market correction in the ransomware ecosystem.
However, for organizations that complied with extortion demands, the financial toll was unprecedented. The average ransom payment surged by 500% from approximately $400,000 in 2023 to $2.0 million in 2024, driven by the increasing prevalence of multi-million-dollar extortion events targeting large enterprises.
In 2024, 63% of ransom demands exceeded $1 million, indicating a pronounced shift among attackers toward high-value “big game” targets. A single record-breaking payment of $75 million was made in 2024, significantly raising the average and illustrating the high stakes involved in modern ransomware attacks.
The ransomware ecosystem in 2025 underwent a profound structural transformation characterized by unprecedented fragmentation and decentralization. The number of active data leak sites soared to a record-breaking 81 in Q3 2025, as smaller ransomware groups filled the gaps left by larger operations disrupted by law enforcement.
Throughout 2025, 45 newly observed ransomware groups emerged, with 14 new groups beginning to publish victims in Q3 alone. By September 2025, researchers attributed incidents to 66 different active groups, marking a five-year high in the number of distinct threat actors operating simultaneously.
This fragmentation followed the closure or dormancy of several major Ransomware-as-a-Service (RaaS) brands during 2025, including RansomHub (which ceased operations in April), along with operational disruptions affecting 8Base, BianLian, and Cactus. The market share of the top ten most active groups declined precipitously: in Q1 2025, they accounted for 71% of all data leak site postings, but their share fell to 63% in Q2 and just 56% by Q3.
This ongoing fragmentation eroded ransomware operators’ reliability, as victims traditionally relied on attackers’ reputations to supply decryption keys after payment. Large RaaS brands maintained commercial incentives to preserve credibility, but smaller, short-lived groups lacked such constraints, further contributing to declining payment rates.
New groups emerging in 2025 demonstrated sophisticated capabilities from inception. Notable entrants included Arkana Security, which rose to prominence after a major U.S. ISP breach; AiLock, suspected of being AI-assisted and deliberately marketing itself as such; Kairos/Kairos V2, focusing exclusively on data theft and extortion; and Weyhro, which employed distinctive interconnected laundering patterns.
The Ransomware-as-a-Service model continued to proliferate despite law enforcement pressure, lowering barriers to entry and enabling a wider range of criminals to participate in sophisticated operations.
Under this business model, developers lease ransomware tools to affiliates for a share of profits, typically 20-30%, making advanced attack capabilities accessible to actors who lack technical development skills. This franchise model fueled the surge in incidents and accelerated the diversification of the threat landscape.
Dominant Ransomware Groups and Their Evolution
Qilin: The New Market Leader
Its victim count rose to 179 in 2024 before quadrupling in 2025. By October 2025, Qilin had been the most active ransomware group for six consecutive months, with 210 victims in October alone, three times as many as second-place Akira.
Qilin operates as a highly sophisticated Ransomware-as-a-Service platform, utilizing Rust-based and C-language ransomware payloads supported by advanced features including Safe Mode execution, automated negotiation tools, and network propagation capabilities.
The group employs double extortion, encrypting victims’ files, demanding ransom for decryption, and exfiltrating sensitive data, threatening to release it even if the ransom is paid.
Part of Qilin’s meteoric rise was attributed to an influx of affiliates from defunct rival groups, particularly following RansomHub’s sudden cessation of operations in April 2025. This coincided with a 280% jump in Qilin’s attack claims, from 185 at the end of April to 701 by October.
The group’s targeting remained strategically focused on high-impact sectors. Manufacturers accounted for 143 confirmed attacks, service-based companies 108, finance firms 69, retailers 50, and construction companies 34.
Qilin demonstrated particular success exploiting unpatched Fortinet vulnerabilities, including CVE-2024-21762 and CVE-2024-55591, which enabled the group to breach FortiGate firewalls between May and June 2025.
The group’s operational maturity was further evidenced by its introduction of legal pressure tactics, threatening victims with regulatory reporting and stakeholder notification to maximize extortion leverage.
Notable Qilin attacks in 2025 included the devastating breach of UK-based pathology services provider Synnovis in June, which demanded a $50 million ransom and resulted in the theft of 400GB of patient data affecting more than 900,000 individuals.
The attack caused significant disruption to NHS hospitals across southeast London, forcing the cancellation of over 800 planned operations and 700 outpatient appointments, and was later confirmed as a contributory factor in a patient’s death. In France, Qilin’s attack on the Region Hauts-de-France affected 80% of the region’s high schools with system disruptions, with the group claiming to have stolen 1.1 TB of data.
Cl0p: Known for Exploiting 0-days
Cl0p (also written as CL0P) returned to prominence as the most prolific ransomware actor in Q1 2025, exploiting new zero-day vulnerabilities in Cleo-managed file transfer products to claim 392 publicly named victims, more than 300 of which resulted from the Cleo campaign alone.
The group, associated with the larger TA505 threat organization and active since 2019, has distinguished itself by relying strategically on mass data exfiltration and extortion rather than encryption, focusing instead on leveraging zero-day vulnerabilities in widely used third-party platforms to compromise service providers and subsequently access client data.
Cl0p’s operational evolution showcased a shift from traditional ransomware tactics to pure data extortion. The group specialized in exploiting SQL injection and authentication bypass vulnerabilities in file transfer software applications, conducting zero-day attacks en masse.
Following previous high-impact campaigns targeting GoAnywhere MFT in early 2023 and MOVEit Transfer in mid-2023, Cl0p’s 2025 activity centered on exploiting vulnerabilities CVE-2024-50623 and CVE-2024-55956 in Cleo’s Harmony, VLTrader, and LexiCom products beginning in December 2024.
In October 2025, Cl0p launched another major supply chain attack by exploiting a critical vulnerability (CVE-2025-61882) in Oracle E-Business Suite versions 12.2.3–12.2.14 to achieve remote code execution via server-side request forgery (SSRF).
The group forced targeted applications to fetch and execute malicious XSL payloads, using this as an entry point for data theft without deploying traditional ransomware encryption. This attack demonstrated Cl0p’s continued focus on high-value enterprise platforms and its ability to weaponize newly discovered vulnerabilities rapidly.
Cl0p’s attack methodology prioritized stealth and speed. The group typically gained access through zero-day exploits, moved laterally using tools like Mimikatz, PsExec, and Cobalt Strike, disabled Windows Defender and backup processes, exfiltrated data using custom tools like the Teleport exfiltration tool, and only selectively encrypted files when tactical value justified the additional step.
Since 2021, Cl0p largely shifted its operational model toward data extortion only, avoiding encryption in recent campaigns to remain singularly focused on mass data exfiltration without establishing persistence or deploying ransomware.
The group’s aggressive extortion tactics extended beyond traditional ransom demands to include distributed denial-of-service (DDoS) attacks and stakeholder harassment, contacting affected employees, customers, partners, and media to pressure breached companies into paying.
Cl0p’s success in supply-chain attacks enabled it to access thousands of victims simultaneously; the MOVEit Transfer vulnerability alone affected more than 3,000 U.S. entities and 8,000 organizations globally in 2023. Since its emergence in 2019, Cl0p has extorted over $500 million in ransom payments and directly affected thousands of organizations and tens of millions of individuals worldwide.
LockBit: The Resilient Phoenix
LockBit demonstrated remarkable resilience in 2025, resurfacing after being disrupted by Operation Cronos in early 2024 and reemerging with LockBit 5.0 (also called “ChuongDong”) in September 2025. Until its takedown, LockBit was the most dominant RaaS operation globally, responsible for 20-30% of all data leak site victim postings.
Following law enforcement action that compromised the administration panel and led to arrests and data seizures, competing ransomware programs like RansomHub and Qilin attempted to absorb LockBit affiliates. However, LockBit’s administrator, LockBitSupp, evaded capture and maintained public defiance, posting in May 2025 on the RAMP forum: “We always rise up after being hacked”.
By August 2025, LockBitSupp reappeared claiming the group was “getting back to work,” a statement that proved accurate when Check Point Research confirmed the revived operation targeted at least a dozen organizations throughout September 2025.
Half of these victims were infected with the new LockBit 5.0 variant, while the rest were targeted with LockBit 3.0 (also known as LockBit Black). The attacks spanned Western Europe, the Americas, and Asia, affecting both Windows and Linux systems—clear evidence that LockBit’s infrastructure and affiliate network were once again fully operational.
LockBit 5.0 introduced several technical enhancements designed to improve efficiency, security, and stealth. Key updates included multi-platform support with new builds for Windows, Linux, and ESXi; stronger evasion mechanisms, incorporating enhanced anti-analysis features to obstruct forensic investigation; faster encryption through optimized routines that reduced response times for defenders; and new identifiers, using randomized 16-character file extensions to evade detection.
The ransomware also preserved core functionalities to maintain operational consistency while introducing significant improvements aimed at complicating analysis and delaying development of detection signatures.
To rejoin the operation, affiliates were required to deposit approximately $500 in Bitcoin for access to control panels and encryptors—a model aimed at maintaining exclusivity and vetting participants. Updated ransom notes identified themselves as LockBit 5.0 and included personalized negotiation links, granting victims a 30-day deadline before stolen data would be published.
The group’s Ransomware-as-a-Service model successfully reactivated its affiliate base, with attacks observed on both Windows systems (approximately 80% of targets) and ESXi/Linux environments (approximately 20%).
Despite reputational damage from the law enforcement operation and the public release of internal affiliate and victim data, LockBit’s resurgence for its sixth anniversary demonstrated the group’s determination to maintain its market position.
However, the group faced continued pressure: in May 2025, LockBit’s infrastructure was breached again and defaced, resulting in a data dump exposing Bitcoin wallet addresses, public encryption keys, internal chat logs with victims, affiliate details, and other sensitive information.
Play: Rapid Expansion and Persistent Threat
The Play ransomware group emerged as one of the most active and dangerous threat actors in 2024 and 2025. First appearing in mid-2022, Play (also known as Playcrypt or Balloonfly) accelerated its operations dramatically, attacking approximately 900 organizations by May 2025—a threefold increase from the roughly 300 organizations compromised when CISA and the FBI issued their previous advisory in December 2023.
The group was among the most active ransomware operators in 2024 and maintained that status into 2025. Play operates as a closed ransomware group designed to “guarantee the secrecy of” operations, conducting attacks in North America, South America, and Europe across multiple sectors, including healthcare providers, manufacturing, IT services, and critical infrastructure entities.
The group employs double extortion tactics, stealing sensitive data before encrypting files and demanding ransoms both for decryption keys and to prevent publication of exfiltrated information. Victims are sent ransom demands requiring them to contact the group via email addresses ending in @gmx.de or @web.de, with ransoms paid in cryptocurrency to wallet addresses provided by Play actors.
The group’s initial access methods include abusing credentials for valid accounts, exploiting vulnerabilities in public-facing applications (particularly FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and Microsoft Exchange vulnerabilities CVE-2022-41040, CVE-2022-41082), and leveraging Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs).
In a significant escalation, Play threat actors exploited CVE-2025-29824, a privilege escalation flaw in Microsoft Windows’ Common Log File System (CLFS) driver, as a zero-day before Microsoft patched the vulnerability.
Play’s technical sophistication is evidenced by its use of specialized tools and evasion tactics. The group employs AdFind for running Active Directory queries, Grixba (a custom information stealer) to enumerate network information and scan for anti-virus software, GMER, IOBit, and PowerTool for removing log files and disabling security software, PowerShell scripts to disable Microsoft Defender, PsExec for lateral movement and file execution, and Mimikatz for obtaining domain administrator credentials.
Play recompiles its ransomware binary for each attack, resulting in unique hashes for each deployment and complicating anti-malware detection. Notable Play victims included Microsoft Cuba, the City of Oakland, the Swiss government, and Dallas County, with some attacks having international repercussions impacting hundreds of thousands of customers simultaneously.
The group distributes ransomware payloads across systems via Group Policy Objects executed as scheduled tasks, enabling systematic encryption of files across networks while evading detection by most endpoint security solutions.
Play offers complete secrecy to companies that pay ransom fees, while those that refuse payment immediately have all data published online and exploit details posted to the group’s Tor blog.
Akira: The Fast-Rising Mid-Market Threat
Akira emerged as a fast-rising threat supporting attacks on both Windows and Linux environments, increasingly targeting mid-sized businesses through a growing Ransomware-as-a-Service model. The ransomware variant, first identified in Q1 2023, employs ChaCha2008 encryption and infiltrates systems via phishing emails and VPN vulnerabilities.
Akira remained consistently among the most active groups throughout 2025, claiming the second-most victims in October with 70 attacks, and showing a 9.7% increase in activity in June compared to previous months.
The group utilizes sophisticated tactics, including LOLBins (Living Off the Land Binaries) and credential dumping, to evade detection and gain privileges, while employing intermittent encryption to avoid security solutions and deleting shadow copies to hinder recovery.
Akira’s attack chain typically involves initial access through compromised credentials or phishing, reconnaissance using tools like Sharphound and ADFind, credential theft via Mimikatz and Rubeus to conduct AS-REP Roasting and Kerberoasting attacks, lateral movement using SMB transfers and RDP, data exfiltration before encryption, and final ransomware deployment with demands ranging from moderate to substantial amounts depending on the target’s profile.
Throughout 2025, Akira demonstrated adaptability and persistence across diverse sectors. The group targeted critical infrastructure, including healthcare providers, manufacturing facilities, professional services firms, and technology companies.
In July 2025, Akira was attributed to a ransomware attack on Russian alcohol retailer WineLab, forcing the company to shut down retail operations and online services and severely disrupting IT infrastructure and customer services. The group’s affiliates received up to 80% of ransom proceeds, incentivizing aggressive recruitment and sustained attack volumes.
RansomHub: The Meteoric Rise and Sudden Fall
RansomHub achieved remarkable prominence before its sudden cessation in April 2025, becoming the most prolific ransomware variant among public reports on leak sites from January through March 2025.
Unit 42 tracked the group distributing RansomHub as Spoiled Scorpius, and Bitsight estimated the operation conducted 534 attacks in 2024 with over 15,000 Telegram mentions, 315 Pastebin mentions, and 148 Reddit mentions. The group was suspected of recruiting former affiliates of ALPHV/BlackCat following that operation’s exit scam after the Change Healthcare attack.
RansomHub operators leveraged social engineering attacks, particularly phishing, password spraying, and exploitation of CVEs, for initial access. Once inside victim environments, affiliates deployed Mimikatz to extract login credentials in bulk, then escalated privileges and moved laterally using Remote Desktop Protocol (RDP), AnyDesk, Metasploit, PsExec, N-able, and Cobalt Strike, among other command-and-control frameworks.
In November 2024, a new attack chain attributed to RansomHub emerged involving phishing emails with malicious attachments, using obfuscated NODESTEALER Python scripts to deliver encrypted XWORM files that loaded additional encrypted shellcode into memory.
Notable RansomHub attacks included a February 21, 2024, assault on Change Healthcare just weeks after the company was previously targeted by ALPHV/BlackCat, with affiliates claiming to have stolen four terabytes of sensitive data and demanding payment within 12 days or threatening to sell the data to the highest bidder.
In another incident in Q4 2024, RansomHub affiliates were observed deploying disk wiping techniques and using BitLocker pre-boot authentication to encrypt target drives and disable recovery and boot capabilities.
However, RansomHub’s operations abruptly halted in April 2025 under circumstances that remain unclear. On April 1, 2025, security researchers observed that RansomHub’s client communication portal, which is frequently used to negotiate ransomware demands with victims, had gone offline. Speculation suggested a dispute may have arisen between RansomHub’s core members and its affiliates, with some researchers believing certain members defected to Qilin.
In May 2025, the DragonForce threat actor claimed to have taken control of RansomHub and announced plans to launch a white-label branding service allowing affiliates to disguise DragonForce ransomware as different strains for an additional fee, with DragonForce taking a 20% share of successful payouts.
BlackSuit: The Royal Rebrand
BlackSuit emerged in May 2023 as a rebrand of the Royal ransomware family, believed to consist of Russian and Eastern European hackers operating as a private group with no public affiliates. By the time of the rebrand, Unit 42 researchers had observed at least 93 victims globally with an upward trend in successful compromises shared on the group’s leak site, suggesting an overall ramping up of operations.
BlackSuit payloads contain many technical similarities to Royal ransomware, including similar encryption mechanisms, command-line parameters, and the preservation of the double extortion playbook.
The group employs sophisticated tactics, including vishing (voice phishing) to steal VPN credentials for initial access, performing DCSync attacks on domain controllers for high-privilege credentials, deploying AnyDesk and custom RATs for persistence, wiping forensic traces with CCleaner, and using Ansible to deploy BlackSuit ransomware across ESXi hosts encrypting hundreds of virtual machines and causing major operational disruption.
BlackSuit’s multi-threaded approach and aggressive file system scanning allow it to encrypt data extremely quickly, with researchers observing the ransomware initiating encryption within seconds of execution and completing file-locking across corporate networks in just minutes.
BlackSuit’s ransom demands typically ranged from $1 million to $10 million in Bitcoin, with the highest recorded demand reaching $60 million. In total, the group reportedly demanded over $500 million from victims within two years of activity.
High-profile attacks included an April 2024 assault on Octapharma Plasma that disrupted operations at over 160 blood plasma donation centers across the United States, and a June 2024 attack on CDK Global a software provider for approximately 15,000 North American car dealerships—causing widespread operational disruptions and estimated losses of $1 billion.
The group operates a dark web leak site where they publish victims’ names and stolen data to extort payment, leveraging the threat of reputational damage and regulatory violations. BlackSuit’s targeting spans multiple sectors, including healthcare, education, IT, government, retail, and manufacturing, though the group does not appear to focus on any particular industry.
In July 2025, international law enforcement from the United States and nine partner countries seized part of BlackSuit’s dark web infrastructure as part of ongoing efforts to disrupt ransomware operations.
Scattered Spider: The Identity Hijacking Specialists
The group, associated with the larger hacking collective known as “The Community” or “The Com,” has evolved from basic credential phishing to full-scale ransomware operations, establishing strategic alliances with major ransomware operators, including ALPHV, RansomHub, and DragonForce, to gain access to infrastructure, deployment tools, and ransom negotiation platforms.
A joint advisory from leading global cybersecurity agencies, including Australia’s ASD and ACSC, the FBI, CISA, and the UK’s NCSC—released in July 2025 revealed a sharp escalation in Scattered Spider’s activities, with enhanced use of ransomware, social engineering, and credential theft.
The group now deploys DragonForce ransomware, marking a shift from pure extortion via data theft to full encryption of enterprise systems, particularly targeting VMware ESXi servers and demanding payment via TOR, Tox, email, or encrypted apps.
Scattered Spider specializes in exploiting human trust through advanced social engineering strategies, including SIM swapping, push bombing (MFA fatigue attacks), and vishing—frequently posing as help desk or IT staff to gather credentials.
In recent campaigns, threat actors impersonated employees across multiple calls to IT service desks to reset passwords and redirect MFA prompts to attacker-controlled devices, leading to full account takeovers inside Single Sign-On (SSO) environments. Their phishing domains mimic real services (e.g., targetsname-okta.com, targetsname-helpdesk.com) to add legitimacy to impersonation tactics.
The group’s malware arsenal includes AveMaria/WarZone RAT for remote system access, Raccoon Stealer and VIDAR for harvesting browser credentials and cookies, RattyRAT (a stealthy Java-based remote access trojan), and DragonForce Ransomware for post-exfiltration encryption.
Scattered Spider heavily relies on living off the land (LOTL) tactics and legitimate tools repurposed for malicious ends, including Ngrok, Tailscale, and ScreenConnect to tunnel traffic and evade perimeter detection.
The group also infiltrates internal communications platforms, including Microsoft Teams, Exchange Online, and Slack, sometimes joining incident response calls in real time to monitor and adapt to countermeasures.
In 2025, Scattered Spider announced plans to launch its own Ransomware-as-a-Service offering called “ShinySp1d3r RaaS,” claiming it would be “the best RaaS to ever live” and putting organizations at risk of both data theft and encryption. The group’s 70% targeting focus on technology, finance, and retail trade sectors makes these industries especially vulnerable to credential theft and ransomware attacks.
Research revealed that 81% of Scattered Spider’s domains impersonate technology vendors, targeting high-value credentials like those of system administrators and executives. In July 2025, four individuals in the UK aged between 17 and 20 were arrested in connection with Scattered Spider ransomware attacks that disrupted operations at major retailers Marks & Spencer, Co-op, and Harrods.
Emerging Threat Groups
Beyond the dominant players, 2025 witnessed the rapid emergence of several notable new ransomware operations. Sinobi achieved a remarkable third-place showing with 69 victims claimed by October 2025, representing rapid ascendance for a group that first emerged only in July 2025.
DragonForce surged in 2025, breaking victim records through aggressive recruiting and advertising on dark-web forums, offering affiliates up to 80% of ransom proceeds plus ransomware builders for Windows, Linux, ESXi, and NAS platforms.
The group reused LockBit and Conti code, swapped payloads to evade defenses, and employed Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable security tools. DragonForce attacks spiked 212.5% in June 2025 compared to previous months, and the group announced a ransomware cartel claiming control of RansomHub along with a white-label branding service.
Medusa emerged as a rising threat specifically targeting public institutions including school systems and regional governments, using data leaks and extortion tactics that heavily impact public services and infrastructure.
The group operates as a RaaS variant that grew significantly since 2023, claiming hundreds of victims and becoming a top-ten ransomware actor. Medusa typically pays Initial Access Brokers (IABs) to provide credentials and sensitive data enabling access, though the group also conducts phishing campaigns and exploits public-facing vulnerabilities independently.
In October 2025, Medusa was observed chaining an unauthenticated deserialization remote code execution vulnerability in GoAnywhere MFT (CVE-2025-10035) to gain initial access, then maintaining persistence by abusing RMM tooling (SimpleHelp and MeshAgent) and creating .jsp web shells in MFT directories.
The Gentlemen gained attention through updates to their Windows, Linux, and ESXi lockers announced by threat actor Zeta88 in October 2025, adding automatic self-restart and run-on-boot capabilities, silent mode for Windows that encrypts without renaming files while preserving timestamps, and self-spread capabilities across networks/domains using WMI/WMIC, SCHTASKS, SC (Service Control), and PowerShell Remoting.
INC Ransom emerged as the most active ransomware strain targeting healthcare providers in 2025, claiming 39 attacks with 15 confirmed, while also demonstrating significant targeting of healthcare businesses.
Attack Vectors and Infection Methodologies
Phishing and Social Engineering: The Dominant Entry Point
Phishing and social engineering remained the most prevalent initial access vectors for ransomware attacks in 2025, with studies indicating these tactics accounted for approximately 46-67% of successful breaches. According to Verizon’s Data Breach Report, 74% of all breaches began with a social engineering attack, underscoring the critical role of human manipulation in modern cyber operations.
The Cybersecurity and Infrastructure Security Agency (CISA) defines social engineering as attacks where adversaries use human interaction and social skills to obtain or compromise information about organizations or computer systems.
Ransomware operators in 2025 increasingly employed sophisticated phishing techniques enhanced by artificial intelligence. CrowdStrike’s 2025 ransomware report revealed that 87% of security professionals believed AI makes phishing lures more convincing, with deepfakes emerging as a major driver of future ransomware attacks.
GenAI-enabled attackers to automate key tasks and write code to streamline operations, with ThreatLabz uncovering evidence of how one notorious threat group used ChatGPT to support the execution of attacks. These AI-powered capabilities allowed for the generation of highly convincing phishing emails tailored to specific recipients, automation of vulnerability scanning and exploitation, and customization of ransom notes based on victim profiles.
The targeting became more personalized and strategic. Ransomware threat actors largely shifted away from traditional large-scale spam campaigns toward more tailored attacks that impersonated IT staff to target employees with privileged access.
This evolution was exemplified by former Black Basta affiliates who resurfaced in 2025, using techniques that incorporated Microsoft Teams phishing, Python scripting, and social engineering messages posing as IT support, prompting victims to initiate remote access tools such as Quick Assist or AnyDesk. Following access establishment, Python scripts retrieved through cURL requests established command-and-control communications.
Phishing emails frequently contained malicious attachments with Office documents employing malicious macros, with anti-phishing solutions and employee training identified as critical defenses against this attack vector. The sophistication extended beyond email to include vishing (voice phishing) campaigns, with BlackSuit operators employing vishing to steal VPN credentials for initial access.
The Vanilla Tempest campaign demonstrated how threat actors combined multiple vectors, distributing fake Microsoft Teams installers hosted on look-alike domains with fraudulently signed certificates, delivering the Oyster backdoor, and ultimately Rhysida ransomware before Microsoft disrupted the operation in early October by revoking more than 200 certificates.
Exploitation of Unpatched Vulnerabilities
Exploitation of known CVEs as initial ingress methods increased dramatically during 2025, with ransomware actors aggressively weaponizing critical vulnerabilities in widely deployed software and network infrastructure.
Among the most heavily targeted vulnerabilities were CVE-2025-61882 in Oracle E-Business Suite (exploited by Cl0p for remote code execution via SSRF), CVE-2025-10035 in GoAnywhere MFT (chained by Medusa for unauthenticated deserialization RCE), CVE-2024-50623 and CVE-2024-55956 in Cleo’s Harmony, VLTrader, and LexiCom file transfer products (mass-exploited by Cl0p), and CVE-2025-29824 in Windows Common Log File System (used as zero-day by Play ransomware).
Fortinet vulnerabilities received particular attention, with the Qilin ransomware group launching attacks that exploited CVE-2024-21762 and CVE-2024-55591 on FortiGate firewalls between May and June 2025. Play ransomware historically exploited FortiOS vulnerabilities CVE-2020-12812 and CVE-2018-13379, along with Microsoft Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.
These exploitation patterns demonstrated ransomware operators’ sophistication in rapidly incorporating newly disclosed vulnerabilities into their attack arsenals, often achieving weaponization within days or even hours of public disclosure.
The targeting of zero-day vulnerabilities represented an escalating threat throughout 2025. Cl0p distinguished itself by repeatedly exploiting zero-day vulnerabilities in managed file transfer platforms, following previous campaigns against Accellion’s File Transfer Appliance (2020-2021), Fortra’s GoAnywhere MFT (2023), and MOVEit Transfer (2023).
These supply-chain-style attacks proved “ruthlessly efficient,” enabling Cl0p to target hundreds of victims simultaneously by scanning the internet for vulnerable servers and fully automating exploitation, as demonstrated when the group exploited approximately 2,500 exposed MOVEit servers in a compressed timeframe.
The persistent exploitation of unpatched systems reflected broader challenges in vulnerability management. Patching these vulnerabilities remained critical to making it more difficult for ransomware groups to gain initial footholds within organizational networks.
However, the window of opportunity for defenders continued shrinking as attackers accelerated their exploitation timelines, with some groups deploying attacks within hours of vulnerability disclosures or, in the case of zero-days, before patches were even available.
Compromised Credentials and Access Broker Services
Compromised credentials emerged as the second most common perceived attack vector, involved in approximately 23-25% of ransomware incidents in 2025.
Groups such as Black Basta, RansomHub, and DragonForce increasingly relied on compromised or weakly secured credentials as primary intrusion vectors, utilizing automated brute-forcing frameworks and credential-stuffing techniques to systematically target network perimeter devices, including VPNs, firewalls, and remote desktop services.
Black Basta’s leaked chat logs revealed extensive use of an automated brute-force framework referred to as “BRUTED” to target widely used enterprise edge devices such as Palo Alto Networks GlobalProtect, Cisco AnyConnect, and Fortinet SSL VPN.
The rise of Initial Access Brokers (IABs) fundamentally transformed the ransomware ecosystem by commoditizing the initial breach phase. IABs utilized credential stuffing, phishing, and other techniques to gather datasets before advertising them on cybercrime marketplaces.
Medusa ransomware typically pays IABs to provide user credentials and sensitive data, enabling access, accelerating attacks by allowing the group to focus on encryption, exfiltration, and ransom negotiation rather than gaining initial network access. This division of labor professionalized ransomware operations and lowered technical barriers to entry.
Credential theft tools proliferated throughout 2025. Scattered Spider’s arsenal included Raccoon Stealer and VIDAR for harvesting browser credentials and cookies, while many groups deployed Mimikatz for dumping credentials from memory after gaining initial access.
The Warlock ransomware operation installed outdated versions of the open-source Velociraptor tool on multiple servers to establish stealthy persistence and remote control, using it alongside pre-existing vulnerabilities and Group Policy Object modifications to disable defenses before deploying multiple ransomware variants.
The exploitation of Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services represented another critical credential-based attack vector. RansomHub operators in January 2025 made multiple authentication attempts to retrieve valid credentials, with plausible entry through Remote Desktop web servers, followed by RDP connections to pivot to other network devices.
LockBit operators frequently gained initial access by exploiting vulnerable RDP servers or using compromised credentials purchased from affiliates, with additional vectors including phishing emails with malicious attachments or links and brute-forcing weak RDP or VPN passwords.
Remote Access Tool Abuse and Living-Off-The-Land Techniques
A defining characteristic of 2025 ransomware operations was the widespread abuse of legitimate Remote Monitoring and Management (RMM) tools and remote access software.
Ransomware operators increasingly hijacked or silently installed legitimate tools such as AnyDesk, RustDesk, Splashtop, TightVNC, TeamViewer, Tactical RMM, and Pulseway after credential compromise to gain persistent, stealthy access.
These trusted channels facilitated file transfer, interactive control, antivirus neutralization, and ransomware delivery while evading detection by security systems designed to identify malicious binaries.
Attack paths typically involved credential theft or brute force, modifying existing tool configurations or using silent install flags, escalating privileges to SYSTEM level, disabling defenses, and propagating tools across networks to support lateral movement and final encryption.
Scattered Spider established persistence by registering new MFA tokens and deploying RMM tools including TeamViewer, Tactical RMM, AnyDesk, and Pulseway, while also manipulating SSO identity providers. The group’s hybrid use of legitimate and malicious software created serious detection challenges for defenders.
Living-off-the-land (LOTL) tactics became increasingly prevalent as ransomware affiliates sought to blend into legitimate operations and evade behavioral detection. The ELENOR-corp ransomware operation reflected growing sophistication by blending commodity malware with custom tooling, employing modular payload staging, layered obfuscation, and stealthy data exfiltration while demonstrating patience in carefully setting up infrastructure before detonating final payloads.
Future ransomware campaigns were assessed as likely to continue adopting modular architectures and LOTL techniques to blend into legitimate operations, with groups increasing focus on stealthy credential harvesting and exfiltration prior to encryption.
Play ransomware affiliates made extensive use of living-off-the-land and publicly available tools in their attack chains, utilizing built-in Windows utilities like systeminfo and nltest for enumeration, PowerShell for various execution tasks, and legitimate system administration tools for lateral movement.
The FOG ransomware operation demonstrated similar approaches with incorporation of political themes and impersonation tactics suggesting future variants would intensify social engineering while expanding through trusted services or compromised third parties.
Cloud and Virtual Infrastructure Targeting
Ransomware actors in 2025 significantly expanded targeting of cloud environments and virtualized infrastructure, adapting tactics to impact more data across victim networks. Cybercriminals such as Bling Libra (distributors of ShinyHunters ransomware) and Muddled Libra gained access to cloud environments by exploiting misconfigurations and finding exposed credentials.
Scattered Spider specialized in targeting Snowflake databases, launching thousands of queries in quick succession to exfiltrate massive datasets, while also creating new Amazon EC2 instances, activating AWS Systems Manager, and deploying custom ETL tools to centralize exfiltrated data.
The proliferation of ransomware payloads capable of running on multiple platforms became standard practice. Ransomware groups increasingly developed or modified malware to target not just Windows but also Linux, hypervisors (particularly VMware ESXi), and even macOS.
This cross-platform approach, observed as the norm among ransomware threat groups, dramatically expanded attack surfaces and complicated defensive strategies. LockBit 5.0 introduced multi-platform support with new builds for Windows, Linux, and ESXi systems, while Play developed separate Windows and ESXi variants with unique hashes for each deployment.
ESXi hypervisors received particular attention due to their central role in enterprise virtualization. Groups including Scattered Spider, RansomHub, and BlackSuit deliberately targeted ESXi environments—systems that power companies’ servers and digital operations but often operate under the radar of traditional security tools.
BlackSuit incorporated a -killvm function specifically to shut down VMware ESXi virtual machines and encrypt them, extending attacks to private cloud servers and enabling encryption of hundreds of VMs simultaneously. The Three AM ransomware group used phone calls to spoof targeted organizations’ IT department numbers, deceiving employees into allowing remote access to computers that facilitated ESXi targeting.
This shift toward cloud and virtual infrastructure represented a strategic evolution recognizing that virtualized environments often concentrated vast amounts of critical data and services while maintaining weaker security postures than traditional endpoints. The targeting of hypervisor layers allowed attackers to bypass security tools deployed at the guest operating system level, achieving maximum impact with minimal detection.
Data Exfiltration and Leak Sites: Psychological Warfare
The proliferation of dedicated data leak sites (DLS) transformed ransomware into a form of psychological warfare, leveraging reputational damage and regulatory violation threats to pressure victims into payment.
The number of active data leak sites soared to a record-breaking 81 in Q3 2025, with ransomware groups’ unique targeting preferences and techniques making attacks increasingly unpredictable and harder to defend against.
These sites served dual purposes: demonstrating proof of compromise by publishing sample data from victims who refused to negotiate, and creating urgency through countdown timers indicating when full datasets would be released publicly.
Qilin reportedly claimed to have stolen more than 11.1 terabytes of data overall across its operations, with roughly 8 terabytes from its attack on Israel’s Shamir Medical Center alone, for which the group demanded a $700,000 ransom in exchange for data deletion.
Cl0p operated dedicated leak sites where victims were listed if they refused ransom demands, with the group even creating clearweb sites to leak data stolen during MOVEit Transfer attacks, including sites for PwC, Aon, EY, Kirkland, and TD Ameritrade where data was posted in spanned ZIP archives.
INC Ransom claimed to have stolen over 20.1 terabytes of data in attacks on healthcare businesses, primarily from incidents targeting Singular Genomics and Deerfield Management.
The psychological impact of potential data exposure proved especially powerful in sectors handling highly sensitive information. Healthcare providers faced catastrophic scenarios where patient data leakage could expose protected health information, medical records, diagnoses, and treatment details—information with profound privacy implications and significant regulatory penalties.
In the June 2024 Synnovis attack, Qilin published “proof packs” of confidential information on their darknet site showing sensitive patient details including names, dates of birth, NHS numbers, and blood test descriptions to pressure the pathology provider into paying a $50 million ransom.
The effectiveness of leak site pressure varied by sector and regulatory environment. Organizations in jurisdictions with strict data protection regulations like GDPR faced enormous liability from data exposure, creating strong incentives to prevent publication even if decryption could be achieved through other means.
However, as 2025 progressed, several high-profile data exfiltration campaigns proved “largely unfruitful for attackers despite widely reported impact on victim organizations,” as entities increasingly understood that paying to suppress stolen data proliferation offered minimal practical utility.
Sectoral Targeting and Operational Disruption
Critical Infrastructure Under Siege
Ransomware attacks against critical infrastructure sectors reached alarming levels in 2025, with 2,332 incidents targeting essential industries between January and September, representing 50% of all ransomware attacks globally and marking a 34% year-over-year increase.
This concentration underscored how adversaries systematically exploited weaknesses in infrastructure vital to national resilience, economic stability, and public safety. The manufacturing sector experienced the sharpest growth with attacks surging 61% compared to the previous year, while healthcare, energy, transportation, and financial services also faced relentless targeting.
The strategic focus on critical infrastructure reflected deliberate threat actor prioritization based on maximum disruption potential and payment likelihood. These sectors hold sensitive data like intellectual property and financial records, operate outdated systems or maintain limited security budgets, and include many smaller businesses with weaker cybersecurity measures making them both easy and profitable targets.
Critical infrastructure organizations also face enormous pressure to restore operations quickly due to public safety implications, creating urgency that ransomware actors exploit to extract higher ransom payments.
In October 2025, approximately 31 incidents potentially impacted critical infrastructure, with 26 incidents carrying possible supply chain implications. The month also marked the rise of industrial extortion, exemplified by the Asahi Breweries incident, where ransomware caused direct operational disruption beyond mere data encryption.
Overall, October 2025 underscored a new phase of technical sophistication and industrial targeting, as ransomware evolved from data encryption to strategic business disruption, leveraging downtime, reputational damage, and financial pressure as primary extortion tools.
Future ransomware campaigns were assessed as likely to focus on synchronized disruptions across IT and operational technology (OT) systems, exploiting production scheduling, logistics, and order management dependencies. The next wave of industrial ransomware could incorporate automation-aware payloads capable of halting supply chains at scale to amplify negotiation pressure.
Modern ransomware strains now target industrial control systems (ICS) and SCADA systems directly, focusing on components like programmable logic controllers (PLCs) and human-machine interfaces (HMIs) to shut down OT systems entirely.
Ransomware operations should be understood not solely as financially motivated attacks but also as tactical instruments capable of disrupting victim operations while inflicting financial and reputational damage. In critical industries, such disruptions can have national-level consequences, undermining essential operations and eroding public trust.
Healthcare: Maximum Impact, Maximum Suffering
The healthcare sector endured particularly devastating ransomware attacks in 2025, with 293 attacks on healthcare providers and 130 attacks on healthcare businesses recorded in the first nine months alone.
While attacks on healthcare providers remained relatively stable compared to 2024, incidents targeting healthcare businesses rose by 30%, reflecting a strategic shift as cybercriminals exploited the interconnected nature of healthcare ecosystems.
Healthcare businesses including pharmaceutical manufacturers, medical billing providers, and healthcare technology companies often serve multiple providers, giving hackers access to larger numbers of organizations through single central targets and increasing the scope of ensuing data breaches.
The healthcare sector’s vulnerability stemmed from multiple factors: high sensitivity of medical data making it valuable for extortion, critical dependence on operational continuity where delays can directly impact patient care, often outdated IT infrastructure with limited security resources, and high likelihood of payment due to regulatory pressures and patient safety concerns.
Healthcare providers hit by ransomware in 2024 showed a concerning 53% payment rate significantly higher than many other sectors—with median ransom payments of $1.5 million and averages soaring to $4.4 million. Attackers proved particularly successful at neutralizing primary defenses in healthcare, achieving a 66% success rate in compromising or destroying backups and effectively forcing victims’ hands.
The most prolific ransomware strains targeting healthcare providers in 2025 included INC (39 attacks with 15 confirmed), Qilin (34 attacks with 14 confirmed), SafePay (21 attacks), RansomHub (13 attacks with 6 confirmed), and Medusa (13 attacks with 8 confirmed). For healthcare businesses, Qilin led with 19 attacks (4 confirmed), followed by KillSec (12 attacks, 2 confirmed), Akira (10 attacks, 2 confirmed), INC (9 attacks), and SafePay (7 attacks).
When measured by volume of data stolen rather than incident count, Interlock was responsible for the largest number of compromised records among healthcare providers with 2,735,407 records breached—primarily from an attack on DaVita—while Qilin claimed to have stolen the largest volume of data overall at more than 11.1 terabytes.
The operational impact extended far beyond individual incidents. The first quarter of 2025 saw 158 ransomware attacks on the health sector, marking a slight increase from 154 in Q4 2024 and continuing an upward trend from 109 incidents in Q3 2024. These attacks accounted for approximately 6.5% of the 2,429 total ransomware attacks reported across all sectors during the same period.
Cross-border ransomware attacks targeting health care providers and mission-critical third-party services caused significant disruption and delay to healthcare delivery, resulting in risks to patient and community safety as loss of access to on-premises and cloud-based information, medical technologies, and operational systems forced organizations to shut down internal networks and disconnect from the internet.
Adversaries adapted their tactics specifically for healthcare targets. The proportion of healthcare providers hit by extortion-only attacks—where data wasn’t encrypted but ransoms were still demanded—tripled to 12% of attacks in 2025 from just 4% in 2022-2023, representing the highest rate reported in surveys and likely reflecting the high sensitivity of medical data, including patient records.
This evolution demonstrated how threat actors recognized that the mere threat of exposing protected health information could be as effective as operational disruption through encryption.
Major Ransomware Incidents of 2025
The ransomware attack on Change Healthcare in February 2024 stood as the most significant and consequential cyberattack against the U.S. healthcare system in history, with ramifications extending throughout 2025.
Change Healthcare, a subsidiary of UnitedHealth Group and one of the largest healthcare payment processing companies in the United States—processing approximately 15 billion healthcare transactions annually and handling one in every three patient records—fell victim to the ALPHV/BlackCat ransomware group.
The attack began on February 12, 2024, when attackers gained initial access through a critical application lacking multi-factor authentication—a shocking security oversight given the sensitive nature of data Change Healthcare handled and its central role in U.S. healthcare infrastructure.
The vulnerability allowed compromise of credentials on an application permitting remote system access, and attackers spent nine days moving laterally through the network, exfiltrating data, and preparing for ransomware deployment before launching the attack on February 21. The company was forced to disconnect over 100 systems to prevent further impact, effectively grinding operations to a halt.
The forensic investigation confirmed threat actors had access to Change Healthcare’s systems from February 17 through February 20, 2024, during which they claimed to have stolen 6 terabytes of data, including medical records, patient Social Security numbers, information on active military personnel, names, contact information, dates of birth, and extensive protected health information.
The extended dwell time suggested potential weaknesses in threat detection and response capabilities. Access was ultimately confirmed to have been gained through a vulnerable Citrix remote access service lacking multi-factor authentication.
UnitedHealth Group, via subsidiary Optum, paid a $22 million ransom to ensure the deletion of stolen data. However, the BlackCat ransomware group performed an exit scam, pocketing the ransom payment without compensating the affiliate who conducted the attack.
The aggrieved affiliate subsequently retained a copy of stolen data and joined the RansomHub ransomware operation, which sought an additional ransom payment in mid-April 2024. RansomHub published portions of stolen files that appeared to contain private and sensitive patient records as proof of its threat, although no second payment was made.
The breach ultimately affected an estimated 192.7 million individuals more than almost 2.5 times the size of the previous largest healthcare data breach (the 78.8 million-record breach at Anthem Inc. in 2015) and representing nearly one-third of the United States population.
This made it not only the largest healthcare data breach but one of the largest data breaches ever reported across any sector. The attack resulted in outages lasting several weeks and severely hampered claims processing, causing massive disruption to providers’ revenue cycles.
Survey data from the American Medical Association revealed that 80% of physician practices lost revenue from unpaid claims, 60% faced challenges verifying patient eligibility, 75% encountered barriers with claim submission, 79% could not receive electronic remittance advice, and 85% experienced disruptions in claims payments.
The financial impact was substantial for smaller practices and rural hospitals, with some facing closure risk due to prolonged disruption. UnitedHealth Group estimated the breach could cost in excess of $1.5 billion, including direct costs of responding to the attack and restoring systems plus potential legal liabilities, regulatory fines, and reputational damage.
The incident prompted renewed focus on baseline cybersecurity requirements in healthcare, with OCR proposing updates to the HIPAA Security Rule requiring mandatory multifactor authentication—directly addressing the vulnerability that enabled the Change Healthcare breach.
Synnovis: Ransomware’s Human Toll
The June 3, 2024, ransomware attack on Synnovis—a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospital NHS Foundation Trust, and SYNLAB providing diagnostic and testing services across southeast London—demonstrated the devastating real-world consequences of healthcare ransomware.
The Qilin ransomware group executed the attack, causing major operational impact on procedures and services at multiple major NHS hospital,s including King’s College Hospital, Guy’s Hospital, St Thomas’ Hospital, Royal Brompton Hospital, and Evelina London Children’s Hospital.
The attack resulted in significant disruptions to non-emergency pathology appointments and blood transfusions, which were either canceled, postponed, or redirected to other providers. Blood shortages emerged across London, and affected hospitals were forced to cancel over 800 planned operations and 700 outpatient appointments. The delays to over 11,000 outpatient and elective procedure appointments represented massive operational disruption extending for months following the initial breach.
Qilin hackers injected malware into Synnovis’s IT system, locking the entire computer network until ransom payment would restore control and remove the ransomware. The stolen data included sensitive patient details such as names, dates of birth, NHS numbers, and descriptions of blood tests, along with business account spreadsheets detailing financial transactions between hospitals, GP services, and Synnovis.
The attackers demanded approximately $50 million in ransom, which Synnovis and its NHS Trust partners refused to pay, reflecting a commitment to ethical principles and rejection of funding future cybercriminal activities threatening critical infrastructure, patient privacy, and national security.
When the ransom was not paid, Qilin published approximately 400GB of private data on their darknet site on June 20, 2024, prompting Synnovis to notify the Information Commissioner’s Office and secure a legal injunction to prevent further use of the data.
The forensic review of stolen data took over a year to complete, requiring a large team of forensic experts and data specialists to piece together unstructured, incomplete, and fragmented information using highly specialized platforms and bespoke processes. By November 2025, Synnovis began notifying affected organizations—potentially including any of Synnovis’s service users across England—though patient notifications were handled by impacted NHS organizations rather than directly by Synnovis.
Most devastatingly, King’s College Hospital NHS Foundation Trust confirmed in June 2025 that a detailed patient safety incident investigation identified the cyberattack as a contributory factor leading to an unexpected patient death.
While the investigation identified several contributing factors, one of the main elements was the long wait for blood test results due to the impact the cyberattack had on pathology services. This represented one of the first confirmed instances of a ransomware attack directly contributing to patient mortality, underscoring the life-and-death stakes of healthcare cybersecurity.
The attack reportedly cost Synnovis more than £32 million ($43 million) as of January 2025, with more than 900,000 patients thought to have had their data stolen—though exact confirmation remained pending completion of the forensic review.
Synnovis Chief Executive Mark Dollar expressed profound sadness that the criminal cyberattack was recognized as contributing to the patient death, extending condolences to the affected family. The incident highlighted why NHS organizations are targeted so frequently, with attackers recognizing the critical nature of healthcare services and the immense pressure to restore operations quickly regardless of security posture.
MOVEit Transfer: Supply Chain Catastrophe
The MOVEit Transfer vulnerability exploitation by the Cl0p ransomware group in May-June 2023 continued reverberating through 2025 as one of the largest and most consequential supply chain attacks in ransomware history.
On May 27, 2023, Cl0p began exploiting CVE-2023-34362, a critical SQL injection zero-day vulnerability in the MOVEit file transfer software developed by Progress Software, which was used by thousands of organizations across various sectors, including finance, healthcare, and education, to securely transmit large volumes of sensitive data.
The exploitation allowed attackers to break into public-facing servers using SQL injection, gaining unauthorized access to MOVEit databases. After breaching systems, hackers installed a custom web shell called LEMURLOOT—disguised to resemble a legitimate MOVEit file named human2.aspx—that acted as a secret backdoor enabling cybercriminals to explore stored files and steal massive amounts of data from Microsoft Azure Blob Storage cloud solutions without detection.
The web shell utilized custom HTTP headers (X-siLock-Step1, X-siLock-Step2, and X-siLock-Step3) that acted as stages in executing payloads and managing responses, allowing Cl0p operators to chain commands and automate data exfiltration.
One of LEMURLOOT’s most damaging features was the ability to create privileged accounts in the MOVEit Transfer database using randomly generated usernames but appearing in systems under the innocuous label “Health Check Service,” enabling persistent access and elevated privileges.
Within just a few days of first exploitation on May 27, 2023, thousands of organizations were compromised worldwide, with CISA estimating that more than 3,000 U.S. entities and 8,000 organizations globally were affected. Victims included financial institutions, airlines, universities, government agencies, and healthcare providers, demonstrating how a single zero-day vulnerability in widely deployed file transfer systems could cascade across entire supply chains.
The ultimate impact proved staggering: at least 66.4 million individuals had sensitive data stolen from more than 2,500 firms in what was described as a “global privacy disaster”. Cl0p had reportedly been testing the vulnerability and resultant access to MOVEit databases since July 2021, demonstrating long-term reconnaissance and preparation.
Progress Software was first informed of suspicious activity on May 28, 2023, and by May 31 had identified the previously unknown flaw, quickly notifying customers and patching the vulnerability. Reviews of MOVEit code yielded discovery of five additional zero-day vulnerabilities that were promptly patched by July 6, 2023.
This attack represented a shift in ransomware operations, with Cl0p focusing purely on data exfiltration rather than encryption, knowing that exposure on leak sites could be as damaging as downtime and often harder to recover from.
The group gave impacted companies until June 14, 2023, to pay ransoms, then began creating clearweb sites to leak stolen data for organizations that refused payment, including sites for PwC, Aon, EY, Kirkland, and TD Ameritrade where leaked company data was posted in spanned ZIP archives. Cl0p claimed to have erased all data stolen from government, city, and police services, stating they had “no interest to expose such information,” though this claim’s veracity remained unverifiable.
The MOVEit breach followed Cl0p’s established pattern of exploiting managed file transfer platforms, with previous campaigns targeting Accellion’s File Transfer Appliance (2020-2021) and Fortra’s GoAnywhere MFT (early 2023).
These supply-chain style attacks proved “ruthlessly efficient,” allowing Cl0p to target hundreds of victims simultaneously by writing or acquiring exploits for common MFT products, scanning the internet for vulnerable servers, and fully automating exploitation across all of them—as seen when Cl0p compromised approximately 2,500 exposed MOVEit servers in a compressed timeframe.
The trend of exploiting MFT software highlighted a fundamental shift in ransomware tactics toward data-theft and extortion via supply-chain exploits, with the mass attacks on Accellion, GoAnywhere, MOVEit, and subsequently Cleo in late 2024 showing a repeating pattern: find a zero-day in widely used file-transfer products, attack en masse, steal sensitive files in bulk, and extort each victim company for ransom.
High-Profile Attacks Across Sectors
Beyond these landmark incidents, 2025 witnessed numerous significant ransomware attacks demonstrating the breadth and persistence of the threat across all sectors. Ingram Micro, a leading global IT distributor processing approximately 15 billion transactions annually, suffered a severe attack in July 2025 attributed to the SafePay hacker group.
The breach disrupted operations worldwide, forcing the company to take critical systems offline and impacting ability to process orders and ship products. SafePay claimed to have stolen 3.5 terabytes of sensitive data including customer information and internal documents, threatening release unless ransom was paid, with the attack causing an estimated $136 million in daily revenue losses.
The group claimed to have stolen data from 39 companies using Salesforce-based systems, affecting over one billion records worldwide, with other victims including Toyota, Disney, McDonald’s, and HBO Max. The exploitation of Salesforce integrations demonstrated how threat actors targeted cloud-based business platforms to achieve massive multi-victim impact through single vulnerability chains.
Sunflower Medical Group, a Kansas-based healthcare provider, suffered theft of over 3TB of data by the Rhysida group, which posted the organization on its darknet leak site claiming to possess over 400,000 driver’s licenses, insurance cards, Social Security numbers, and an SQL database. The group shared a sample of allegedly stolen data alongside a ransom demand of 10 BTC, equivalent to just under $10 million.
The Sault Ste. Marie Tribe of Chippewa in Michigan experienced a RansomHub attack that forced multiple computer and phone systems out of operation for an indefinite period across numerous organizations including casinos, health centers, and various businesses.
The threat actors claimed to have exfiltrated 119GB of confidential information from the tribe, with some news outlets reporting the ransom demand stood at $5 million. Russian alcohol retailer WineLab was forced to shut down retail operations and online services following an Akira ransomware attack that severely disrupted IT infrastructure and customer services.
These incidents collectively illustrated that no sector, organization size, or geographic region remained immune to ransomware threats in 2025. The attacks ranged from targeted assaults on specific high-value entities to mass exploitation campaigns leveraging supply chain vulnerabilities, with financial impacts spanning from millions to billions of dollars and operational disruptions lasting from days to months.
Ransomware in 2025 presents a stark paradox that defines the current cybersecurity landscape. Attack volumes reached unprecedented heights with 4,701 confirmed incidents globally between January and September, a 34% increase over 2024, yet ransom payment rates collapsed to historic lows of 23-25%, forcing a fundamental market correction in the cybercriminal economy.
This contrast highlights the evolution of defensive capabilities and the increasing desperation of threat actors. These groups have fragmented into 85 distinct active factions, intensifying their focus on critical infrastructure. They are also developing more sophisticated multi-extortion tactics that combine encryption, data theft, DDoS attacks, and harassment of stakeholders.
The year demonstrated unequivocally that ransomware has transcended its origins as a financially motivated cybercrime to emerge as a strategic threat to national security and global stability.
With 50% of attacks targeting critical infrastructure sectors, including manufacturing, healthcare, energy, transportation, and finance, ransomware operators wielded capabilities to destabilize essential services, disrupt supply chains, compromise patient safety, and undermine public trust in institutions.
The confirmed contribution of the Synnovis attack to a patient’s death, the $1.5 billion cost of the Change Healthcare breach affecting 192.7 million individuals, and the 66.4 million victims of the MOVEit supply chain attack collectively illustrated that ransomware consequences now extend far beyond data encryption and financial extortion to encompass threats to human life, economic security, and societal resilience.
The operational sophistication displayed by dominant groups like Qilin (701 victims), Cl0p (392 Q1 victims from Cleo exploitation alone), LockBit (resurgent with version 5.0), Play (900 total victims), and emerging threats like Scattered Spider demonstrated that ransomware actors continuously adapted to defensive improvements and law enforcement pressure.
The proliferation of Ransomware-as-a-Service platforms, abuse of legitimate remote access tools, exploitation of zero-day vulnerabilities in widely deployed software, targeting of cloud and virtualization infrastructure, and employment of AI-enhanced phishing collectively revealed an adversary ecosystem growing more capable and resilient despite significant disruptions.
Yet the dramatic decline in payment rates from over 50% in previous years to 23-25% in 2025 offered hope that the ransomware business model faces existential challenges. Organizations increasingly demonstrated that improved backup and recovery capabilities, robust incident response preparedness, and refusal to fund criminal enterprises could break the economic incentives driving ransomware proliferation.
The collapse of total ransomware revenues from $1.1 billion in 2023 to approximately $813.6 million in 2024, despite surging attack volumes, proved that defensive investments and policy decisions could materially impact adversary profitability.
Looking forward, the ransomware threat will likely continue evolving along several trajectories: further fragmentation and specialization as smaller groups fill niches left by disrupted major operations, intensified targeting of operational technology and cloud infrastructure enabling maximum disruption with strategic leverage, increased employment of AI and automation for both attack enhancement and defensive evasion, and deeper integration with nation-state objectives blurring lines between financially motivated cybercrime and strategic cyber operations.
Organizations must respond by treating cyber resilience as a core pillar of national security strategy, prioritizing proactive preventive measures, maintaining continuous, real-time monitoring, establishing sector-specific resilience standards, investing in incident response and recovery capabilities, and fostering international cooperation to dismantle cross-border infrastructure that enables these attacks.
The year 2025 marked a watershed moment in the ransomware landscape, when attacks reached unprecedented scale and sophistication, yet payment economics began to shift fundamentally against adversaries.
Whether this inflection point presages a gradual decline in ransomware viability or merely represents a temporary correction before threat actors adapt to new market realities will depend on sustained commitment from governments, industries, and global partners to strengthen defenses, deny criminals profits, and ensure ransomware cannot continue threatening the safety, stability, and security of modern society.
