(847) 796-3177 [email protected]

Volume of Ransomware Attacks in 2025

Published on: Aug 26, 2025|Categories: Business IT News

Ransomware Attacks 2025

The volume of ransomware attacks in 2025 was up by 179% compared to the same period in 2024, according to statistics published by threat intelligence platform provider Flashpoint.

The past year has seen significant changes among cyber criminal threat actors with previously feared groups such as LockBit – taken down by law enforcement and others no longer the forces they once were.

The past year has also seen a pivot among some cyber-threat actors to extortion without encryption. In such attacks, a victim’s systems are attacked via social engineering or an unpatched software vulnerability. Their data is then stolen, but not encrypted.

This sort of attack is becoming a significant threat because it lowers the barriers to entry from a technical perspective, both for the ransomware operators who save on time and effort, and their affiliates. This trend started to emerge during 2024 and shows no signs of slowing down.

“Multiple groups appear to prefer a pure extortion play. Ransomware groups will traditionally encrypt files before exfiltrating them, charging for both the decryption key and to prevent data from being leaked,” said the FlashPoint team.

“[However] extortion groups like World Leaks, previously known as Hunter’s International, ransoms without encryption. Additionally, RansomHub has been observed occasionally employing this tactic, as well as emerging groups like Weyhro,” they said.

Meanwhile, generative artificial intelligence (GenAI) is also starting to be used by some – albeit not many gangs, again as a means of relieving ransomware gangs of some of the more burdensome tasks they face, such as developing phishing templates.

At the time of writing, few high-profile operators are using large language models (LLMs) in their tooling, but Funksec, which emerged at the end of 2024 and may have had a hand in the development of the WormGPT model, may be one to watch out for.

“It is possible that additional groups will integrate the use of LLMs or chatbots within their operations,,” said the FlashPoint team.

Other operational and technical changes observed by the FlashPoint team include a growing number of attacks in which ransomware gangs recycle previous ransomware victims from other groups, with data often appearing on other forums long after the event itself has occurred.

Data Compromised

The stolen information varies by but potentially includes:

  • Full names
  • Physical addresses
  • Contact information
  • Social Security numbers (SSNs)
  • Medical data
  • Student grades
  • Enrollment history
  • Teacher licensing and salary information

The most active ransomware actors tracked during the first six months of 2025 were Akira, which carried out 537 attacks, Clop/Cl0p, with 402, Qilin, with 345, Safepay Ransomware, with 233, and RansomHub, with 231 attacks.

In terms of ransomware victims, organizations in the United States continue to be the most frequently targeted, accounting for 2,160 attacks tracked by FlashPoint. This outpaces Canada – with 249 attacks – by a runaway margin. FlashPoint tracked 154 attacks in Germany and 148 in the UK, followed by Brazil, Spain, France, India and Australia.

Protecting Against Future Attacks

To better protect themselves from ransomware attacks and breaches, organizations should consider the following measures:

  1. Implement strong access controls: Use multi-factor authentication and regularly update passwords for all systems. Check out our guide on implementing multi-factor authentication.
  2. Conduct regular security audits: Regularly assess and update security protocols to identify and address vulnerabilities. ATYXIT offers auditing and compliance services that does exactly that.
  3. Encrypt sensitive data: Ensure that all personal and sensitive information is encrypted both in transit and at rest.
  4. Provide cybersecurity training: Educate staff and students about best practices for data security and how to identify potential threats. Read about the role employee cybersecurity training plays in most attacks.
  5. Limit data collection and retention: Only collect and store essential information, and implement strict data retention policies to ensure the data your organization collects is both properly stored and disposed of.
  6. Vet third-party vendors: Thoroughly assess the security measures of any software or service providers before potentially granting them access to sensitive data.
  7. Develop and test incident response plans: Create comprehensive plans for responding to potential breaches and conduct regular drills to ensure readiness.
  8. Monitor for suspicious activity: Implement robust monitoring systems to detect and respond to unusual access patterns or data exports.
  9. Keep software updated: Regularly apply security patches and updates to all systems and applications.
  10. Consider cyber insurance: Invest in comprehensive cyber insurance to help mitigate the financial impact of potential breaches.

By implementing these measures, organizations can significantly enhance their cybersecurity posture and better protect the sensitive data of employees and customers alike. As cyber threats continue to evolve, it’s crucial for all entities handling personal information to remain vigilant and proactive in their approach to data security.

ATYXIT is an Illinois based security-first Business IT Solutions Provider and Chicago Cloud Provider. We excel in supporting and evolving company networks. Our technical support, technology consulting, project management, cyber security and IT strategy services make us the ideal IT resource for local small and medium sized businesses.

Reach out today if you need any assistance with your business technology!