Ransomware is having a record-breaking year and this isn’t a good news for anyone. In the first half of 2025, cybercriminals attacked more organisations than ever before, leaked more data and used new tactics to pressure victims into paying up.
A new report from Searchlight Cyber, CyberOne’s Partner for our Dark Web Monitoring Services, reveals a disturbing trend: ransomware isn’t slowing down. It’s evolving.
The Numbers Are Exploding
- 3,734 organisations were listed as ransomware victims in just six months - a 67% increase on last year.
- 88 ransomware groups were active, 35 of them completely new.
- 65% of victims were from NATO countries such as the UK, US and Germany.
In short, ransomware has become a global business, one that’s targeting the world’s most connected and developed economies.
Why Ransomware Attacks Keep Rising
The surge in ransomware victims isn’t a coincidence. It reflects a combination of factors: from the growing sophistication of ransomware operations to the expanding digital footprint of modern organisations.
But one of the biggest and often overlooked reasons is the widespread availability of ransomware tools. In recent years, cybercriminals have embraced a business model known as Ransomware-as-a-Service (RaaS). This approach allows criminals to rent ransomware kits from the core developers, rather like a subscription model, enabling anyone with malicious intent (even without technical expertise) to carry out large-scale attacks.
This “franchise-style” system has transformed ransomware from a niche criminal tactic into a global industry.
According to Searchlight Cyber, only one of the five most active ransomware groups in the first half of 2025 is not operating under a RaaS model, which shows just how influential this method has become.
The adoption of RaaS has acted as a force multiplier, dramatically increasing the number of attacks and victims recorded each year. In fact, Searchlight’s analysis of 88 distinct ransomware groups revealed 3,734 confirmed victims in the first six months of 2025, the highest figure since records began in 2023.
Another reason for the sustained rise is the constantly changing nature of ransomware groups themselves. The ecosystem is highly fluid: groups frequently rebrand, merge, or split apart, while individual hackers and affiliates move between different operations. Of the 88 active groups observed in early 2025, 35 were entirely new, compared with just 20 newcomers in the second half of 2024.
This constant churn makes ransomware particularly difficult to track and combat. Each new group often reuses infrastructure, tools or data from its predecessors. This means that what appears to be a “new” threat is usually a reshaped version of an existing one.
For defenders, this ever-shifting landscape highlights the importance of ongoing monitoring, intelligence-led defence and adaptive cybersecurity strategies.
The Fall of LockBit, the Rise of New Gangs
For years, LockBit was the world’s most feared ransomware group. But after law enforcement agencies took down its servers earlier this year, a power shift began.
Now, new groups are leading the charge:
- Cl0p – Specialises in stealing data through software flaws (no encryption required).
- Akira – Uses phishing and stolen credentials to gain access.
- Qilin – Threatens victims with legal action and regulatory exposure.
- RansomHub and Play – Smaller but fast-growing groups.
These groups operate like businesses: recruiting partners, sharing profits and posting their victims’ names on dark web sites to pressure them into paying.
What’s New: Extortion Without Encryption
In the past, ransomware worked by locking your files until you paid a ransom. Now, many gangs don’t even bother encrypting anything. Instead, they steal data and threaten to leak it publicly, exposing sensitive emails, contracts or customer details.
Some go even further:
- They contact a company’s customers or suppliers directly.
- They report the victim to government regulators for data breaches.
This new trend, known as “quadruple extortion”, is more psychological than technical: using fear, embarrassment and legal pressure to make companies pay.
Why NATO Countries Are Being Targeted
Ransomware isn’t just about money anymore. It’s also about politics. More than two-thirds of all attacks hit NATO members, particularly in the United States and Europe. Analysts believe this is partly because:
- These countries hold more valuable data and have larger ransom budgets.
- Some groups are state-linked or politically motivated.
- Ransomware is being used as a tool of cyber warfare.
In short, ransomware has become part of global conflict. Not just cybercrime.
How Hackers Get In
Most attacks start with known software vulnerabilities. Essentially, digital doors that haven’t been locked.
Criminals often:
- Exploit unpatched systems (MOVEit, Fortinet, VMware).
- Buy stolen passwords on dark web markets.
- Send fake emails to trick people into granting access.
The lesson? Keeping systems up to date and educating staff remain two of the most effective defences.
The Hidden Victims: Supply Chains
Even if your company isn’t directly attacked, you could still be affected.
When ransomware groups leak stolen data, it often includes information about partners, clients or suppliers.
In one study of Cl0p’s leaks:
- Each company’s stolen data contained an average of 36 GB of files.
- More than 100,000 email addresses were exposed per victim.
- 39 of the FTSE 100 companies were indirectly impacted.
Ransomware doesn’t just harm one business. It ripples through entire networks.
The Future: AI-Driven Ransomware
The report warns that the next wave of ransomware could be powered by Artificial Intelligence (AI).
AI helps hackers to:
- Write phishing emails that sound authentic.
- Identify weaknesses in systems more quickly.
- Personalise ransom demands using stolen data.
Combined with global tensions and political motivations, experts believe 2026 could be the most dangerous year yet for cyberattacks.
How to Protect Your Business
At CyberOne, strong defence starts with visibility and intelligence where attackers actually operate. Our Dark Web Monitoring, powered by Searchlight Cyber and delivered by our Microsoft-powered SOC, gives you real-time insight into criminal activity, exposed data and ransomware threats.
We take this intelligence further by integrating it into our MXDR and wider SOC operations, ensuring threats are identified, prioritised and acted on with speed and precision.
Book a 1:1 consultation with our cyber security specialists to see how Dark Web Monitoring helps you detect, disrupt and defend before it is too late.
The Bottom Line
Ransomware has evolved from a criminal trick into a global industry. One that thrives on fear, stolen data and publicity.
The good news? Awareness is the first line of defence.
By understanding how ransomware works and taking action now, organisations can stay one step ahead of attackers, protecting not just their data but their reputation, their customers and their future.