Download the report
Our mid-year ransomware Landscape check-in shows a marked increase in victims and active groups
The report – An Escalation in Attacks: The Ransomware Landscape in H1 2025 – records 3,734 victims listed on ransomware leak sites between January and June 2025, which is a 67 percent increase on the same time period last year (H1 2024) and a 20 percent increase on H2 2024.
The Searchlight Cyber threat intelligence team has analyzed the factors driving this increase in victims, as well as other notable developments in the ransomware landscape in 2025 so far, and our usual top five ranking of ransomware groups. Plus unique analysis of data leaked by ransomware groups, to understand the true scope of the damage done to third party providers, customers, and staff.
Download the report to find out About
- The driving factors behind the ransomware victim increase – including technological advancements and the continued commoditization of ransomware.
- How the makeup of ransomware groups has changed – with more groups recorded in this reporting period than ever before.
- The geographical distribution of ransomware victims – with a clear concentration of listed victims in NATO-affiliated countries.
- The techniques being used by ransomware groups – in exploiting vulnerabilities and using novel approaches to extortion.
- Details about the top five ransomware groups – with in-depth profiles on Cl0p, Akira, Qilin, RansonHub, and Play.
- Why LockBit has dropped out of the top five – thanks to law enforcement action and an attack on the group by an unknown actor.
Download the full report for everything you need to know about the ransomware landscape of the dark web.