Record ransomware surge as 7,458 victims named in 2025

Ransomware groups posted a record 7,458 named victims on dark web leak sites during 2025, according to new research from Searchlight Cyber, which tracks extortion gangs and their public disclosures.

The figure is up 30% from 2024 and shows faster growth in victim numbers than the previous year. The data also suggests a more crowded marketplace: researchers identified 124 active ransomware groups during the year, including 73 new groups.

The analysis draws on leak-site postings, a common tactic in double-extortion schemes in which attackers combine encryption with threats to publish stolen data. Victim numbers dipped slightly in the second half of the year, but the full-year total still reached a new high.

More groups

Researchers counted 93 active groups in the second half of 2025 alone, a record for a six-month period. They also recorded 38 new groups emerging in that half-year, pointing to a steady inflow of new operators and brands.

Ransomware operations often rebrand, split, or change partners after disruptions, arrests, or internal disputes. That churn can inflate the number of apparent groups even when personnel overlaps exist, complicating attribution for defenders and investigators.

Luke Donovan, Searchlight Cyber's head of threat intelligence, said the year showed resilience and adaptation across the ecosystem.

"2025 was a record year for ransomware, driven by a professionalized ecosystem that remains devastatingly effective despite increased pressure from global law enforcement. While we saw a very slight dip in victim numbers in the second half of the year, this should not be interpreted as a victory. The landscape continues to fragment; large monolithic syndicates are fracturing into smaller, agile cells, and with the number of active groups at an all-time high, the threat landscape has become more complex and difficult to track than ever before."

Qilin on top

The data highlights Qilin as the most prolific ransomware group by victim count in the second half of 2025, with 697 attributed victims. That represents a 420% year-on-year increase, according to Searchlight.

Behind Qilin, Searchlight ranked Akira with 384 victims, followed by IncRansom with 213, Sinobi with 180, and Play with 164. The rankings suggest a shifting leaderboard, with established names facing competition from newer entrants.

Qilin's second-half surge followed an announced coalition with Dragonforce and LockBit, with spikes in October and December. Such coalitions can involve shared tooling, access to compromised networks, or joint negotiation processes, though the specifics often remain opaque to outsiders.

The research also points to how quickly new groups can climb the rankings. Sinobi, described as a newcomer, entered the top five within months of debut. Searchlight linked that rise to a disciplined ransomware-as-a-service model, in which one party manages the malware and infrastructure while affiliates carry out intrusions and share proceeds.

Collaboration trend

Beyond individual brands, Searchlight observed the emergence of "supergroups", in which threat actors pool specialist skills. It cited Scattered Lapsus$ Hunters as an example, saying the model helps participants scale operations by combining expertise across intrusion, malware, and extortion.

The report also flags criminals' use of artificial intelligence. Searchlight said AI can lower barriers to entry by automating parts of malware development and enabling more tailored social engineering. Security teams have warned that more convincing lures and faster iteration cycles can increase the volume of attempted compromises, even if underlying attack paths remain familiar.

Supply chain risk

Searchlight highlighted "Shadow Exposure" in third-party software as a persistent weakness. Many organisations rely on complex supply chains and outsourced technology stacks, creating indirect pathways into internal systems.

Threat actors are weaponising software supply-chain vulnerabilities faster than patch cycles can keep up, the report said. That can leave organisations exposed even when their own systems are well maintained, because security depends on vendor response times and the speed of update deployment across customer environments.

The report also notes the role of initial access brokers-criminals who specialise in gaining entry to networks and selling that access to other threat actors. This market can shorten the time needed for a ransomware affiliate to launch an attack, because access and reconnaissance may already be in place.

Donovan said the victim numbers show the limits of disruption efforts focused on takedowns and arrests alone.

"In the high-stakes game of ransomware in 2026, the only way to truly win is to ensure you aren't an eligible target in the first place. Offensive law enforcement operations are vital, but our data shows they cannot be the only solution. Organisations must adopt a preemptive strategy, maintaining visibility and mitigating exposures to neutralize threats before they escalate into full-blown attacks," he said.

Searchlight expects further fragmentation and collaboration among groups as pressure continues and new entrants use automation and service-style operating models to scale activity.