Infographic and video: Key Takeaways from the 2025 Ransomware Report (What 6,000 Attacks Tell Us)

Written by: Dr. Ferhat Dikbiyik, Chief Research & Intelligence Officer

Ransomware is more than an enterprise problem. It has gone mainstream and is easier than ever to execute. The 2025 Ransomware Report, developed by the Black Kites Research Group, highlights how the ransomware threat is rapidly evolving along with critical insights for CISOs and TPRM professionals to help avoid becoming a victim directly or through their third parties.

The Evolving Ransomware Landscape: More Attacks on Smaller Targets

The 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems provides a clear picture of today’s fractured threat landscape. The report, which analyzed over 6,000 victims, 150+ ransomware groups, and dark web activity over the past year, reveals that the fall of major syndicates like LockBit and AlphV didn’t end ransomware; it fractured the ecosystem. Instead, smaller, more erratic groups now dominate, launching more attacks with less discipline.

I walk through the main themes of the report in this video. View other videos in the playlist to watch the full report walkthrough.

key takeaways from Black Kite’s 2025 Ransomware Report:

123% increase in ransomware victims over 2 years

No Kingpins, Just Chaos: There has been a 24% year-over-year increase in the number of victims, and a 123% increase in victims over two years. There are 96 active ransomware groups, including 52 new entrants. This means the groups got smaller, but the problem got bigger.

67% of known third-party breaches are ransomware driven

Ransomware Is Now a Supply Chain Crisis: Ransomware groups are deliberately targeting vendors embedded deep in supply chains, understanding that the ripple effects can pressure victims to pay quickly. Ransomware is responsible for 67% of known third-party breaches. One vulnerable vendor can lead to mass disruptions, as seen with the 3,000+ auto dealers affected by the CDK Global breach and 400 victims linked to a single Cleo software exploit.

Only 11% of ransomware victims had $100M+ revenue

SMBs: The New Sweet Spot: Attackers now favor many hits over a few big logos. Only 11% of victims had revenue over $100M. Small and mid-sized businesses (SMBs) with revenues between $4M-$8M are the most frequently targeted, as they are easier to ransom and less likely to report. With hardened defenses at the top, attackers have shifted their focus downmarket.

100+ organizations were repeat ransomware victims

Repeat Victim Patterns: Being a ransomware victim once doesn’t grant immunity; it often paints a target. Over 100 organizations were attacked twice, and 14 saw a second breach within 7 days. More than 60 were re-attacked after 6 months.

Average ransom payment decreased by 35% to $553K

Evolving Ransom Economics: The average ransom payment has decreased by 35% to $553K. After the collapse of major syndicates, smaller groups, lacking the infrastructure for complex extortion, took over. They skip negotiation, make a single demand, take what they can get, and move on. Quick hits are replacing drawn-out negotiations. While the average payment values declined, the overall impact widened.

46% of companies with a high Ransomware Susceptibility Index were victimized

Spot the Risk Before It Hits: Black Kite’s Ransomware Susceptibility Index® (RSI™) helps organizations anticipate risk. Companies with an RSI greater than 0.8 are 96 times more likely to be attacked than those with an RSI below 0.2. In fact, 46% of companies with an RSI over 0.8 were hit. RSI spikes often occur within 6 months of an attack, indicating a countdown rather than just a warning.

Visualizing the Threat: 2025 Ransomware Report Infographic

This infographic visually summarizes the key findings of the 2025 Ransomware Report, offering a snapshot of the current ransomware landscape:

The ransomware threat hasn’t disappeared; it has fractured and multiplied. 

To secure your business and supply chain, understanding these shifts is paramount. As we emphasize in the report, preparing for unpredictable chaos, recognizing supply chain vulnerabilities, focusing on SMB protection, anticipating repeat attacks, moving beyond ransom payments, and leveraging predictive tools like the Ransomware Susceptibility Index (RSI) are all key to a safer cyber ecosystem.

For a deeper understanding of how the threat is evolving and what it means for your organization, read the full 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems.