Explore more publications!
The Green Earth Gazette
Got News to Share?

NordStellar research reveals ransomware attacks soar with a 45% increase in 2025

Ransomware attacks soared in 2025, with 9,251 recorded cases compared to 6,395 cases in 2024

NEW YORK, Jan. 28, 2026 (GLOBE NEWSWIRE) -- The latest findings from NordStellar, a threat exposure management platform, reveal that the number of ransomware incidents in 2025 soared compared to 2024. The data shows that in 2025, 9,251 ransomware cases were recorded on the dark web, marking a significant 45% increase compared to 6,395 cases recorded in 2024.

The number of ransomware cases rose significantly in the last quarter of 2025. December set a two‑year record, with a substantial 1,004 recorded incidents.

"In the last quarter of 2025, ransomware groups deliberately exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring," says Vakaris Noreika, cybersecurity expert at NordStellar. "However, there has been an upward trajectory the whole year. Ransomware actors are growing increasingly aggressive — given the surge in 2025, the number of ransomware incidents in 2026 is likely to exceed 12,000."

According to Noreika, the number of ransomware groups has also been increasing. The recorded ransomware incidents in 2025 could be traced back to 134 different groups — a 30% increase from the 103 groups linked to recorded ransomware incidents in 2024.

SMBs in the US were affected the most

Companies in the US remained the primary targets, with 3,255 recorded ransomware cases in 2025 (a 28% increase from 2,544 incidents in 2024), accounting for 64% of all cases. The US was followed by Canada with 352 cases (a 46% increase from 2024), then Germany with 270 cases (a 97% increase), the United Kingdom with 233 cases (a 2% increase), and France with 155 cases (a 46% increase).

Small and medium-sized businesses (SMBs) with up to 200 employees and revenues up to $25 million experienced the most ransomware attacks. This data aligns with the findings from 2024, which showed that SMBs accounted for the majority of incidents.

"SMBs are attractive targets for ransomware attacks because they often lack security staff and tools and operate within limited cybersecurity budgets — all of which are essential to safeguard their systems," says Noreika. "Smaller organizations are also more likely to rely on outdated software, have limited security monitoring, and rely on external vendors for IT support. Consequently, when attacked, they're more likely to pay ransoms quickly to avoid business disruptions, which is why ransomware groups keep targeting them."

The most-targeted ransomware-victim company profile in 2025

As in 2024, companies in the manufacturing industry continued to bear the brunt of ransomware attacks, with 1,156 incidents in 2025 (a 32% increase from the previous year), accounting for 19.3% of all cases (a 0.3% increase from 2024).

The manufacturing industry was followed by the IT industry, with 524 recorded cases (a 35% increase from 2024), professional, scientific, and technical services (494 incidents, a 30% increase), the construction industry (443 incidents, a 24% increase), and healthcare, with 339 attacks (a 6% decrease from 2024).

Experts from NordStellar analyzed the ransomware attacks on companies in the manufacturing industry. They found that SMBs (those with up to 200 employees and $25M in revenue) operating in the general manufacturing industry were the most targeted. They were followed by other smaller businesses operating in the machinery manufacturing sector (10% of all attacks on the manufacturing industry), and SMBs operating in the appliances, electrical, and electronics manufacturing sector, accounting for 9.9% of all ransomware attacks on the manufacturing industry.

"Cybercriminals prioritize choosing targets that offer the biggest payoff for the least amount of effort, and SMBs in the manufacturing industry fit this perfectly — they generate enough revenue to pay large ransoms but usually don't have the capacity to implement strong security measures or fast recovery options," says Noreika.

According to Noreika, manufacturing companies are in a difficult position — their production lines can't stop for long periods, so even short disruptions can cause significant financial losses. Consequently, they're pressured to do anything it takes to continue their operations — even if it means giving in to the attackers' demands.

"Machinery and industrial equipment manufacturers were also heavily targeted — this could be the result of expanded digitalization and remote connectivity in production environments," says Noreika. "Meanwhile, appliance and electronics manufacturers are facing a higher risk of experiencing a cyberattack due to complex supplier integration and cloud-based operations."

According to Noreika, interconnected environments increase the likelihood of lateral compromise, which can occur through shared networks or third‑party access.

The ransomware group landscape: Qilin takes the lead

Data reveals that the ransomware group Qilin carried out the most attacks in 2025, with 1,066 cases (a 408% increase compared to 2024). It was followed closely by Akira, with 947 recorded ransomware cases (a 125% increase), then the-remerged Cl0p leaks (594 cases, a 525% increase), the relatively new, rapidly growing ransomware threat actor Safepay (464 cases, a 775% increase), and INC ransom, with 442 recorded cases (an 83% increase compared to 2024).

"The changes in the ransomware threat actor landscape reflect how competitive the ransomware-as-a-service world has become," says Noreika. "Groups like Qilin experienced significant growth because many affiliates joined their operations after other platforms were shut down or became less profitable. Affiliates choose which ransomware to use based on better payment structure, support, the reliability of the tools provided, or reputation of success."

He underscores that Akira could have expanded for similar reasons. According to Noreika, the emergence of new ransomware names suggests that groups often rebrand or start fresh operations when facing law‑enforcement pressure. He notes that the activity of LockBit, one of the most active groups in 2024, witnessed a significant decline in 2025 due to successful law enforcement operations.

Incidents peak, but targets remain the same: What’s next?

According to the findings, the number of ransomware cases peaked in the last quarter of 2025, with 2,910 recorded incidents, marking a 38% increase compared to the same period in 2024 (2,102 cases) and a 49% increase from the number of incidents recorded in the July-September period of 2025 (1,954 cases).

The data from the final quarter of 2025 mirrored the findings from throughout the year — small and medium-sized manufacturers remained the primary target. For more details on the findings on ransomware cases in 2025 Q4, read here.

"The success of end-of-year attacks is concerning — this will likely motivate the ransomware groups to repeat these timing patterns at the end of 2026 as well," says Noreika. "Businesses, especially SMBs and those operating in industries where operational downtime is unacceptable, or that handle high-value data, should be on high alert and reassess their preparedness to combat ransomware."

To increase their resilience against ransomware attacks, Noreika advises companies to strengthen their basic security hygiene. This includes updating and patching systems and applications, using multifactor authentication, implementing password management policies, and enforcing the zero trust framework to prevent malware from spreading laterally.

"For early threat prevention and detection, intelligence is key — it enables businesses to patch critical vulnerabilities and detect indicators of compromise as soon as possible," says Noreika. "Data leaked onto the dark web may expose credentials or sensitive details that attackers can exploit to gain unauthorized access. An early alert enables organizations to reset passwords, revoke access keys, disable compromised accounts, and support faster incident response."

Noreika explains that having a ransomware incident-response plan is crucial for reducing the scope of damage from an attack as soon as possible. He also emphasizes the importance of having a recovery plan as well as backing up critical data to minimize operational downtime.

Disclaimer: While the total number of 9,251 ransomware attacks in 2025 is accurate, the figures presented for each category (industry, company size, and country) may be slightly higher. This is because a number of incidents were missing data needed for categorization and thus were omitted.

ABOUT NORDSTELLAR

NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a globally recognized company behind one of the world's most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.

Contact:
Inga Vaitkeviciute
inga@nordsec.com 


Primary Logo

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share us

on your social networks:
Facebook Facebook LinkedIn LinkedIn
AGPs

Get the latest news on this topic.

SIGN UP FOR FREE TODAY

No Thanks

By signing to this email alert, you
agree to our Terms & Conditions