Ransomware Groups Claimed 2,000 Attacks in Just Three Months
Ransomware may no longer dominate daily headlines, but it has hardly retreated.
While public attention shifted to the rapid rise of artificial intelligence, ransomware groups accelerated their operations behind the scenes. The numbers tell the story. Since January 2023, monthly ransomware attacks have surged from fewer than 200 to nearly 700, a sustained and troubling escalation.
Those figures come from Cyble’s Annual Threat Landscape Report, which paints a picture of a threat environment growing more aggressive and more coordinated. In total, Cyble recorded 6,604 ransomware attacks in 2025, a 52% increase from 2024. December alone saw 731 attacks, one of the highest monthly totals on record.
“Ransomware and supply chain attacks soared in 2025, and persistently elevated attack levels suggest that the threat landscape will remain perilous heading into 2026,” Paul Shread, cybersecurity researcher at Cyble, told TechRepublic. “Ransomware groups claimed more than 2,000 attacks in the last three months of 2025, and they’re starting 2026 at the same elevated pace.”
His company recorded 6,604 ransomware attacks in 2025, up 52% from 2024. The year ended with a near-record 731 ransomware attacks in December of 2025. Perhaps the most worrying aspect of this, he added, is that supply chain attacks nearly doubled in 2025. One attack on a software supply chain partner can potentially impact hundreds or even thousands of customers.
An industrial firm in the US Northeast, for example, had its systems completely shut down by ransomware in late January 2026. Federal authorities, insurance representatives, and cybersecurity specialists are still unraveling the mess.
Key ransomware groups and their favorite targets
The biggest ransomware villains of 2025 are known as Qilin.
This Russian cybercrime group has been operating since 2022 and has earned a reputation for high-profile attacks and sophisticated tactics. Recent victims include a large Japanese brewery and US-based Covenant Health. Its ransomware-as-a-service (RaaS) model enables it to provide a network of affiliated groups and individuals with tools and infrastructure to conduct attacks. It pays these associated entities a portion of the payments it receives.
According to Cyble, Qilin led all ransomware groups in 2025. It claimed the top spot in April of 2025 and has maintained it ever since. For the year, it mounted 1,138 successful ransomware breaches, including 190 victims alone in December and another 115 in January of 2026.
As ransomware demands a victim that can pay up, it’s no surprise that the US is the top target. It accounted for 55% of attacks in 2025. Other lucrative areas include Canada, Germany, the UK, Italy, France, and Australia.
Cybercriminal groups don’t focus on one specific industry. They go wherever they can obtain the most reward, noted Shread. Currently, construction, professional services, and manufacturing are among the leading sectors hit by ransomware. Perhaps their lack of IT and cybersecurity sophistication is part of the reason.
However, the IT industry remains a frequent target because an infection can serve as a springboard to several other potential victims.
2026 might be a challenging year for ransomware victims
The bad news is that 2026 has already seen several high-profile ransomware incidents. Thus, the forecast for the year is far from positive.
A ransomware group that penetrated the Oracle E-Business Suite in the latter part of 2025 continues to exploit these same flaws to mount new campaigns. The Cyble report mentioned 11 Australia-based companies across IT, banking and financial services, construction, hospitality, professional services, and healthcare as affected.
In addition, those same bugs were targeted to infect a US-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canadian mining company. Yet those attacks represent only a few of the many breaches already recorded in a few short weeks since the New Year bells stopped ringing.
Organizations of all kinds are advised to pay serious attention to their cybersecurity perimeter. This includes rapidly patching or remediating known vulnerabilities, prioritizing them by risk. They must review and upgrade protections of web-facing assets, segment their networks and critical assets, harden endpoints, and review/implement strong access controls. These and many other best practices should be given renewed focus in the coming year.
As Shread noted: “The number of supply chain and ransomware threats facing security teams in 2026 requires a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats.”
For more on critical vulnerabilities this month, read our coverage of Microsoft’s February 2026 Patch Tuesday, which addresses six zero-day flaws already under active exploitation.
About Author
