Download the report
our third annual ransomware update stands out because of major developments in the “key players” of the landscape.
This year’s report – Same Game, New Players: Ransomware in 2025 – tracks disruption to the ransomware “old guard”, an uptick in new groups operating on the dark web, and an increase in listed victims. We examine some of the factors behind these changes in the scene and – as always – take a forensic look at the main players that have emerged as we enter the new year.
While some ransomware groups have diminished in stature – or disappeared completely – unfortunately this report shows that this hasn’t resulted in a better outlook for organizations. In fact, the victim count in 2024 was up on 2023. The number of active groups is also up year-on-year, creating a more complex landscape for security professionals to monitor.
Key findings from searchlight’s annual report:
- A total of 94 groups listed victims in 2024 – a 38 percent increase on the number of active groups in 2023.
- 49 new groups were observed posting victims in 2024 – meaning that there are new adversaries for security teams to track.
- 2024 saw a 11 percent rise in listed victims vs 2023 – demonstrating that ransomware remains one of the biggest threats for organizations.
- RansomHub was the #1 group by number of listed victims – pushing LockBit into second place, followed by Play, Akira, and Hunters International.
- LockBit’s victim count in 2024 was less than half of its 2023 victim count – demonstrating clear impact of law enforcement operations.
Download the full report for everything you need to know about the dark web ransomware landscape in the year ahead.