2025 Ransomware Report

How Ransomware Wars Threaten Third-Party Cyber Ecosystems

by the Black Kite Research Group™ · Led by Ferhat Dikbiyik, Chief Research & Intelligence Officer · Period covered: April 2024 to March 2025

Between April 2024 and March 2025, the ransomware ecosystem didn't shrink. It splintered. Ransomware attacks surged 24% year over year, the number of publicly disclosed victims climbed to 6,046, and 96 active groups (including 52 entirely new entrants) flooded the space left behind by the fall of LockBit and AlphV. The result is a more chaotic, less coordinated, and significantly more unpredictable threat landscape.

This year-long investigation by the Black Kite Research Group draws on real-time monitoring of over 150 ransomware groups, deep intelligence gathered from dark web channels, and the technical telemetry of more than 6,000 victims to map exactly how, where, and why ransomware is hitting in 2025.

The most important shift: ransomware is no longer just an endpoint problem. It's a supply chain crisis. 67% of known third-party breaches now involve ransomware, with attacks on shared vendors like Cleo, CDK Global, and Change Healthcare creating cascading damage far beyond the initial breach. Companies with an RSI above 0.8 were 96x more likely to be hit than companies in the lowest risk band, proving that ransomware risk is predictable when the signals are read in real time.

This report is your blueprint for understanding where ransomware is heading next, and how to stay ahead of attackers who are now fragmenting faster than defenders can adapt.

READ THE INTERACTIVE REPORT (No download required)

Key Findings: 2025 Ransomware Statistics

6,046 ransomware victims publicly disclosed, up 24% year over year

Publicly disclosed ransomware victims climbed to 6,046, a 24% increase from the 4,893 victims recorded the year prior. That figure has more than doubled since 2023, when it stood at 2,708. Combined, that's a 123% increase in victim volume over two years, and the trajectory shows no sign of slowing.

96 active ransomware groups operated in the past 12 months

The number of ransomware groups making public disclosures rose from 79 in April 2023 to 96 by April 2025, with 52 entirely new groups emerging in the last year alone. This fragmentation is the direct result of LockBit and AlphV's collapse. The void created a low-barrier opportunity for less coordinated actors to launch operations with minimal effort.

Small and mid-sized businesses became the new frontline

SMBs with revenues in the $4M-$8M range became the most frequently targeted segment in 2025. Companies with revenue over $1 billion saw a 5.3% decline in victim count, while attackers shifted aggressively toward the mid-market for a simple reason: smaller defenses, less negotiating power, and lower visibility for retaliation. 17% of all 2025 victims now have revenue under $20M.

67% of known third-party breaches now involve ransomware

Ransomware accounted for 66.7% of all analyzed third-party breach incidents with clear attribution in Black Kite's annual breach research. Ransomware is no longer just a direct attack vector. It is the dominant mechanism by which third-party vendor compromises cascade into industry-wide damage.

RSI proved 96x more predictive than baseline risk indicators

47.3% of companies with an RSI above 0.8 suffered a ransomware attack between April 2024 and March 2025. Companies in the lowest band (below 0.2) had a 0.5% victimization rate. The 96x predictive multiplier makes RSI the most reliable forward-looking indicator currently available for ransomware risk.

Key Stats: 6,046 victims · 24% YoY surge · 96 active groups · 67% of third-party breaches · 47.3% attack rate at RSI > 0.8

The Business of Ransomware: Booming, Fragmenting, Evolving

Manufacturing remained the top target with 1,314 victims

Manufacturing held the #1 ransomware target position for the fourth consecutive year, with 1,314 publicly disclosed victims between April 2024 and March 2025. Tight production schedules, high downtime costs, and a dispersed vendor ecosystem make Manufacturing uniquely vulnerable to extortion.

Our 2025 Manufacturing Cyber Risk Report goes deeper on the sector-specific dynamics.

Wholesale Trade, Construction, and Healthcare saw the sharpest growth

Wholesale Trade led year-over-year growth at +2.93%, followed by Construction (+0.96%) and Healthcare and Social Assistance (+0.95%). Wholesale Trade's structural shift toward digital supply chain ransomware is detailed in the 2026 Wholesale & Retail Cyber Risk Report. Construction's rise reflects expanded subcontractor exposure. Healthcare's eight consecutive years of attack volume growth signals a sector under sustained pressure.

Healthcare ransomware activity reached a quarterly high in Q1 2025

Healthcare operational complexity, legacy infrastructure, and the urgency of medical services continue to make it a uniquely vulnerable ransomware target. Q1 2025 hit a quarterly attack volume high, with attackers concentrating on hospitals, clinics, and the third-party providers that support them.

The full pattern is documented in our 2025 Healthcare Ransomware Report.

The US accounted for over half of all global ransomware disclosures

The United States represented 52% of all global ransomware disclosures with 3,141 victims, nearly 10x the next country (Canada, 318). Canada, India, and Brazil saw the sharpest year-over-year increases as attackers expanded reach into Western and emerging markets. Geopolitical alignment continued to drive concentration: attackers favor targets in Western, English-speaking economies where insurance coverage and ransom payment likelihood are higher.

Ransom payment totals declined but operational impact widened

Average ransom demands hit $4.32 million in 2024, with the highest known demand reaching $70 million. But median payments dropped to $2 million and total payments declined year over year. Attackers compensated by increasing victim volume rather than per-target extortion, and by leaning on operational disruption (not just data encryption) as the primary leverage point.

Ransomware Is Now a Supply Chain Crisis

Cleo, CDK Global, and Change Healthcare define the new attack model

Three incidents defined the 2024-2025 supply chain ransomware era. CDK Global was hit with a $25M ransom demand that paralyzed over 3,000 US car dealerships. Change Healthcare (a UnitedHealth subsidiary) had data from more than 100 million individuals exposed via a Citrix portal compromise that exploited missing MFA. Cleo, a managed file transfer vendor, became the entry point for a cascade through retail and logistics when two of its CVEs were weaponized at scale.

Clop's Cleo campaign claimed 400 victims through a single MFT exploit

The Clop ransomware group exploited two vulnerabilities in Cleo's managed file transfer software (CVE-2024-50623 and CVE-2024-55956) to claim 400 victims across manufacturing, wholesale, and IT service providers. The group disclosed victims in stages over two months, weaponizing publicity itself as a pressure tactic. Real-time threat actor monitoring is the only way to track campaigns of this scale before they reach downstream organizations.

Manufacturing, Wholesale, and IT absorbed the largest cascade impact

Clop's Cleo campaign hit Manufacturing (131 victims), Wholesale and Transportation/Warehousing combined (115 victims), and Professional Services & IT (68 victims) hardest. The pattern confirms a structural truth: ransomware groups target vendors that sit at the operational center of multiple industries, knowing a single compromise can cascade across hundreds of downstream firms.

Vendor opacity makes supply chain ransomware easier to monetize

Most organizations lack visibility into their third and fourth-party connections. That opacity is the asymmetry attackers exploit. Even when ransom is not paid, the disruption itself creates value: stalled inventory, delayed shipments, missed compliance windows, and reputational fallout that pressures the next victim to settle faster.

Profiling the Top Ransomware Groups After LockBit

RansomHub emerged as the new market leader with 736 victims

RansomHub closed 2024 at the top with 736 disclosed victims, the highest among all ransomware groups. With operational discipline and stable leadership, RansomHub quickly filled the void left by LockBit and AlphV, attracting many former affiliates and standing out as the most organized ransomware operation in active deployment.

Play, Akira, and Qilin held steady operational consistency

Play (369 victims), Akira (349 victims), and Qilin (200 victims) held steady operational consistency through the LockBit collapse. Each maintained a deliberate, focused approach rather than the chaotic high-volume tactics of newer entrants. Their persistence suggests these groups have evolved from opportunistic actors into established business operations.

Medusa, Lynx, and SafePay represent the next wave of high-volume actors

Medusa stepped up in late 2024 with high-profile victims and ransom-deadline extensions. Lynx disclosed nearly 180 victims since its mid-July 2024 launch. SafePay entered the scene in late November and broke 122 victims with a financial-sector focus. Each demonstrates that ransomware groups can now scale faster than ever, leveraging RaaS infrastructure and adapted playbooks from collapsed predecessors.

LockBit and AlphV's collapse created the power vacuum

Operation Cronos, the multi-agency law enforcement effort against LockBit, dealt a crushing blow to the group's reputation and operations. LockBit administrators were publicly identified and targeted with international bounties. AlphV exit-scammed shortly after. Together, the collapse left a power vacuum that 52 new groups rushed to fill in the following 12 months.

Predicting Ransomware Risk with the Ransomware Susceptibility Index®

47.3% of companies with an RSI above 0.8 were ransomware victims

47.3% of companies with an RSI above 0.8 suffered a ransomware attack between April 2024 and March 2025. Companies in the 0.6-0.8 band had an 8.7% victimization rate. Companies below 0.2 had just 0.5%. The tight correlation between score and outcome makes RSI the most reliable predictive indicator currently available for ransomware risk.

RSI tracks technical indicators and intrinsic risk factors together

RSI is a composite measure that incorporates technical indicators (misconfigurations, exposed remote ports, exploitable vulnerabilities, Stealer Logs, leaked credentials, Botnet activity) and intrinsic risk factors (industry classification, geographic location, company size, and exposure history). The combination gives security teams an attacker's view of what makes an organization a target, not a defender's view of what makes it compliant.

61% of victims showed a rising RSI trend in the six months before compromise

61% of ransomware victims had a rising RSI trend in the six months before compromise. 88% experienced at least one 10% RSI spike within that same window. 92% had at least a 5% spike between consecutive months. RSI is not a static rating. It is a leading indicator that reveals when an organization is being noticed by threat actor groups.

Only 0.82% of monitored companies score above 0.8, making RSI highly selective

Only 0.82% of all monitored companies in the Black Kite platform have RSI scores greater than 0.8. The score is highly selective by design: the group it flags is small, but the correlation with actual attack outcomes is overwhelmingly strong. Get a free RSI rating to see where any company sits on the scale today.

Key Stats: 47.3% attack rate at RSI > 0.8 · 96x more likely to be hit · 0.82% of companies scored above 0.8 · 61% showed rising RSI before compromise

How to Defend Against the 2025 Ransomware Landscape

Shift from visibility to anticipation using predictive risk intelligence

Static visibility into vendor risk is no longer enough. Modern defense requires predictive risk intelligence that flags escalation before an incident occurs. The companies that avoided ransomware in 2024-2025 weren't the ones with the most security controls. They were the ones who saw RSI escalations early and acted on them.

Treat shared digital vendors as concentrated ransomware risk

When the same MFT software, identity provider, or logistics platform underpins thousands of downstream organizations simultaneously, a single compromise becomes industry-wide exposure. Map your concentrated digital dependencies, model the financial impact of a single vendor compromise, and allocate continuous monitoring effort to those concentrated points first.

Compress patching windows for KEV vulnerabilities across third parties

Threat actors are exploiting known vulnerabilities within days of disclosure. Days, not weeks or months. Mandatory KEV patching standards across every third-party vendor are no longer optional. Our 2025 Supply Chain Vulnerability Report covers the broader vulnerability landscape across third-party ecosystems and how to prioritize remediation.

Pair supply chain monitoring with early warning signals from RSI

Combine continuous supply chain monitoring with RSI-based early warning signals to detect when a vendor's risk is escalating before they become a public victim. Real-time ransomware threat intelligence is the missing layer in most TPRM programs, and the gap is where 2025-era attackers found the most success.

Defend against AI-augmented social engineering and adaptive ransomware

AI is now a meaningful force multiplier for ransomware groups. From AI-generated phishing campaigns that mimic individual employees' communication styles to adaptive ransomware that evades detection and adjusts ransom demands based on victim data, the attacker toolkit has fundamentally changed. Vendor risk assessment frameworks must explicitly evaluate AI exposure as a control category, which is why we released the open BK-GA³™ AI Risk Assessment Framework as a community standard.

2025 Ransomware Report Methodology

BRITE monitored activity from over 150 ransomware groups

The Black Kite Research & Intelligence Team (BRITE) tracked the leak sites, extortion posts, and public disclosures of more than 150 ransomware groups between April 1, 2024 and March 31, 2025. A group was considered "active" if it published at least one victim within the last 12 months. By March 2025, 96 groups met this threshold.

6,046 victims identified through leak site monitoring and dark web intelligence

Victims were identified through continuous leak site monitoring, cross-validated with open-source intelligence and Black Kite's internal telemetry. Each victim was classified by industry (NAICS code), headquarters location, and estimated company size based on publicly available financial data and trusted databases.

Industry classification standardized using NAICS codes

To ensure analytical consistency across sectors, all victims were aligned with NAICS (North American Industry Classification System) codes. This allowed direct comparison between industries and subindustries without misattribution, and ensured year-over-year growth metrics reflected actual industry shifts.

Each victim's cybersecurity posture analyzed before and after the incident

BRITE leveraged the Black Kite platform to assess each victim's cybersecurity posture before and after the incident, identifying patterns in susceptibility and exposure. This pre/post comparison is what enabled the RSI predictive analysis covering more than 5,700 confirmed victims and hundreds of thousands of non-victims.

Access the Complete 2025 Ransomware Report Now