The latest findings from NordStellar show that the number of ransomware incidents in 2025 soared compared to 2024. The data shows a 45% increase in ransomware cases recorded on the dark web, with a particularly strong spike in the last quarter of the year. In particular, December set a two‑year record with the number of incidents.
In the last quarter of 2025, ransomware groups exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring. The number of ransomware groups has also been increasing. The recorded ransomware incidents in 2025 could be traced back to 134 different groups — a 30% increase from the 103 groups linked to recorded ransomware incidents in 2024.
SMBs In Manufacturing Were the Most Affected
Small and medium-sized businesses (SMBs) experienced the most ransomware attacks. This data aligns with the findings from 2024, which showed that SMBs accounted for the majority of incidents.
SMBs are attractive targets for ransomware attacks because they often lack security staff and tools and operate within limited cybersecurity budgets. Smaller organizations are also more likely to rely on outdated software, have limited security monitoring and rely on external vendors for IT support.
Consequently, when attacked, they're more likely to pay ransoms quickly to avoid business disruptions, which is why ransomware groups keep targeting them.
As in 2024, companies in the manufacturing industry continued to bear the brunt of ransomware attacks, with a 32% increase from the previous year, accounting for 19.3% of all cases.
Experts from NordStellar analyzed the ransomware attacks on companies in the manufacturing industry and found that those with up to 200 employees and $25M in revenue were the most targeted. They were followed by other smaller businesses operating in the machinery manufacturing sector and SMBs operating in the appliances, electrical and electronics manufacturing sector, accounting for 9.9% of all ransomware attacks on the manufacturing industry.
Cybercriminals prioritize targets that offer the biggest payoff for the least amount of effort and SMBs in the manufacturing industry fit this perfectly — they generate enough revenue to pay large ransoms but usually don't have the capacity to implement strong security measures or fast recovery options.
Interconnected environments increase the likelihood of lateral compromise, which can occur through shared networks or third‑party access.
The Ransomware Group Landscape
Data reveals that the ransomware group Qilin carried out the most attacks in 2025, a 408% increase compared to 2024. It was followed closely by Akira, who recorded a 125% increase, then the-remerged Cl0p leaks which registered a 525% increase. Rapidly growing ransomware threat actors Safepay and INC ransom also showed increased activity.
Changes in the ransomware threat actor landscape reflect how competitive the ransomware-as-a-service world has become. Groups like Qilin experienced significant growth because many affiliates joined their operations after other platforms were shut down or became less profitable. Affiliates choose which ransomware to use based on better payment structure, support, the reliability of the tools provided or reputation of success.
The emergence of new ransomware names suggests that groups often rebrand or start fresh operations when facing law‑enforcement pressure. The activity of LockBit, one of the most active groups in 2024, witnessed a significant decline in 2025 due to successful law enforcement operations.
According to the findings, the number of ransomware cases peaked in the last quarter of 2025, marking a 38% increase compared to the same period in 2024 and a 49% increase from the number of incidents recorded in the July-September period of 2025.
To increase resilience against ransomware attacks, companies need to strengthen their basic security hygiene. This includes updating and patching systems and applications, using multi-factor authentication, implementing password management policies and enforcing the zero trust framework to prevent malware from spreading laterally.
For early threat prevention and detection, intelligence is key — it enables businesses to patch critical vulnerabilities and detect indicators of compromise as soon as possible. Data leaked onto the dark web may expose credentials or sensitive details that attackers can exploit to gain unauthorized access. An early alert enables organizations to reset passwords, revoke access keys, disable compromised accounts and support faster incident response. Equally important is having a recovery plan and backing up critical data to minimize downtime.
