Ransomware is having a record-breaking year and this isn’t a good news for anyone. In the first half of 2025, cybercriminals attacked more organisations than ever before, leaked more data and used new tactics to pressure victims into paying up.
A new report from Searchlight Cyber, CyberOne’s Partner for our Dark Web Monitoring Services, reveals a disturbing trend: ransomware isn’t slowing down. It’s evolving.
In short, ransomware has become a global business, one that’s targeting the world’s most connected and developed economies.
The surge in ransomware victims isn’t a coincidence. It reflects a combination of factors: from the growing sophistication of ransomware operations to the expanding digital footprint of modern organisations.
But one of the biggest and often overlooked reasons is the widespread availability of ransomware tools. In recent years, cybercriminals have embraced a business model known as Ransomware-as-a-Service (RaaS). This approach allows criminals to rent ransomware kits from the core developers, rather like a subscription model, enabling anyone with malicious intent (even without technical expertise) to carry out large-scale attacks.
This “franchise-style” system has transformed ransomware from a niche criminal tactic into a global industry.
According to Searchlight Cyber, only one of the five most active ransomware groups in the first half of 2025 is not operating under a RaaS model, which shows just how influential this method has become.
The adoption of RaaS has acted as a force multiplier, dramatically increasing the number of attacks and victims recorded each year. In fact, Searchlight’s analysis of 88 distinct ransomware groups revealed 3,734 confirmed victims in the first six months of 2025, the highest figure since records began in 2023.
Another reason for the sustained rise is the constantly changing nature of ransomware groups themselves. The ecosystem is highly fluid: groups frequently rebrand, merge, or split apart, while individual hackers and affiliates move between different operations. Of the 88 active groups observed in early 2025, 35 were entirely new, compared with just 20 newcomers in the second half of 2024.
This constant churn makes ransomware particularly difficult to track and combat. Each new group often reuses infrastructure, tools or data from its predecessors. This means that what appears to be a “new” threat is usually a reshaped version of an existing one.
For defenders, this ever-shifting landscape highlights the importance of ongoing monitoring, intelligence-led defence and adaptive cybersecurity strategies.
For years, LockBit was the world’s most feared ransomware group. But after law enforcement agencies took down its servers earlier this year, a power shift began.
Now, new groups are leading the charge:
These groups operate like businesses: recruiting partners, sharing profits and posting their victims’ names on dark web sites to pressure them into paying.
In the past, ransomware worked by locking your files until you paid a ransom. Now, many gangs don’t even bother encrypting anything. Instead, they steal data and threaten to leak it publicly, exposing sensitive emails, contracts or customer details.
Some go even further:
This new trend, known as “quadruple extortion”, is more psychological than technical: using fear, embarrassment and legal pressure to make companies pay.
Ransomware isn’t just about money anymore. It’s also about politics. More than two-thirds of all attacks hit NATO members, particularly in the United States and Europe. Analysts believe this is partly because:
In short, ransomware has become part of global conflict. Not just cybercrime.
Most attacks start with known software vulnerabilities. Essentially, digital doors that haven’t been locked.
Criminals often:
The lesson? Keeping systems up to date and educating staff remain two of the most effective defences.
Even if your company isn’t directly attacked, you could still be affected.
When ransomware groups leak stolen data, it often includes information about partners, clients or suppliers.
In one study of Cl0p’s leaks:
Ransomware doesn’t just harm one business. It ripples through entire networks.
The report warns that the next wave of ransomware could be powered by Artificial Intelligence (AI).
AI helps hackers to:
Combined with global tensions and political motivations, experts believe 2026 could be the most dangerous year yet for cyberattacks.
At CyberOne, strong defence starts with visibility and intelligence where attackers actually operate. Our Dark Web Monitoring, powered by Searchlight Cyber and delivered by our Microsoft-powered SOC, gives you real-time insight into criminal activity, exposed data and ransomware threats.
We take this intelligence further by integrating it into our MXDR and wider SOC operations, ensuring threats are identified, prioritised and acted on with speed and precision.
Book a 1:1 consultation with our cyber security specialists to see how Dark Web Monitoring helps you detect, disrupt and defend before it is too late.
Ransomware has evolved from a criminal trick into a global industry. One that thrives on fear, stolen data and publicity.
The good news? Awareness is the first line of defence.
By understanding how ransomware works and taking action now, organisations can stay one step ahead of attackers, protecting not just their data but their reputation, their customers and their future.