‘Supergroups’ to Shadow Exposure: Insights from Ransomware’s Record Year

From a record number of victims to the most active groups our threat intelligence team has ever tracked, the ransomware landscape reached new peaks in 2025. As we reveal our latest ransomware report, derived from dark web data and intelligence, I reflect on ransomware’s record year and what it takes to stay a step ahead of an increasingly fragmented and professionalized threat.

Why do we track ransomware groups?

The financial stakes have never been higher. Global ransomware damage costs are projected to hit $57 billion USD this year alone. If current trajectories hold, we are looking at a staggering $265–275 billion USD in annual losses by 2031.

This isn’t just an issue for the corporate balance sheets of individual companies; the U.S. authorities’ decision to offer rewards of up to $15 million USD for information leading to the arrest of top-tier ransomware operators underscores the severity of the situation. Law enforcement is no longer just monitoring these groups, they are treating them as high-value state-level targets.

The fact of the matter is, ransomware and cyber extortion is not going away; it’s intensifying to new levels. If organizations don’t know the specific threat they’re facing, they’ll soon find themselves victimized. The good news is that this awareness of ransomware activity provides a critical opportunity for preemptive defense.

Extortion victims are at an all-time high

Though in previous years we tended to see an uptick in victims from the first to the second half of the year, H2 2025 saw a marginal dip in publicly disclosed victim counts. Though before any celebrations are in order, when viewed in the context of 2025 as a whole, year-over-year data confirms that ransomware extortion victims are at an all-time high.

Our data shows that the number of victims is not only growing, but growing faster than ever: The 30.2 percent increase in victims from 2024 to 2025 is over double the rate of increase we saw between 2023 and 2024.

This unprecedented increase is influenced by a number of factors outlined in the report. Overall, the past year has seen the maturation of a professionalized ransomware ecosystem that remains devastatingly effective despite increased pressure from global authorities.

The expanding ecosystem of ransomware groups

In 2025 we continued to see large, monolithic syndicates fracturing into smaller, more agile cells, presenting a moving target and a complex ecosystem that is difficult to track by design. We also observed the coming together of “supergroups” like Scattered Lapsus$ Hunters, where smaller, specialized actors pool their talents to scale operations and become a defining threat across the year.

Ransomware-as-a-Service (RaaS) operations remain the dominant model amongst the most prolific groups, but their structure has continued to mature, with groups adopting more controlled and professional frameworks. Earlier iterations were fraught with chaos and infighting, but now the top ransomware groups favor stability while they carefully curate their affiliate programmes and enforce stricter operating standards. This shift reflects lessons learned from the disruption of major platforms and the risks introduced by poorly governed affiliate networks.

Our analysis of the top five ransomware groups by victim count reveals a shifting leaderboard. Qilin dominated the latter half of the year, cementing its position as the most prolific ransomware actor, while newcomers like Sinobi have demonstrated an ability to chalk up substantial victim counts within just months of their debut.

In the second half of the year and across 2025, we tracked more active ransomware groups than ever before, with the highest number of brand new groups appearing. AI has lowered the barrier to entry, allowing brand-new groups to automate their operations and scale their operations almost overnight. This, combined with frequent rebranding to evade detection, makes constant and active tracing of these groups a priority for defenders.

Ransomware groups shifting tactics

While ransomware groups still rely heavily on gaining initial access through social engineering, phishing, and exploitation of access vectors such as VPNs, ransomware groups are using the Achilles’ heel of “shadow exposure” within third-party software as an entry point to organizations. Industry data shows a resurgence in the exploitation of novel and existing, unpatched vulnerabilities, with ransomware groups able to chalk up dozens of victims from flaws in the software supply chain

In 2025, nearly 30 percent of known exploited vulnerabilities were exploited before being publicly disclosed, or on the day they were reported. When organizations are in a race with ransomware groups that could be won or lost within hours, the importance of continuous threat exposure management within a preemptive security posture could not be higher.

Preempting ransomware attacks

The data in our report provides a stark warning, but it serves a vital purpose. Awareness and visibility and acting on those insights are fundamental to defending against this threat. Law enforcement operations, such as the coordinated strikes against the BlackSuit (Royal) group last year, prove that putting continued pressure on these groups works, but as we see from the data and the record numbers of victims,  it cannot be the only solution.

For organizations in the crosshairs, the strategy must be preemptive. By maintaining early visibility into group tactics and a continuous, real-time view of exposures, businesses can get ahead of the threat. In the high-stakes game of ransomware in 2026, the only way to truly win is to ensure you aren’t an eligible target in the first place.

To learn more about the latest evolutions in the ransomware landscape and how to take a preemptive stance against ransomware threats, DOWNLOAD OUR NEW REPORT.