Table of Contents
The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.
Review Q4’s research here.
Video Transcript
Intro
The end of year ransomware update highlights the key trends shaping ransomware and data extortion activity through 2025, including attack volumes, group dynamics, industry targeting, geographic concentration, and the growing influence of artificial intelligence.
Ransomware Activity
Ransomware activity increased significantly in late 2025, with a 57% rise in attacks between Q3 and Q4, and a 12 percent year-over-year increase compared to 2024. Overall, 7,884 attacks were recorded in 2025 vs the 7041 successful attacks observed in 2024.
Activity peaked in February and December. These end and start of year months offer heightened extortion leverage for attackers. Year-end financial reporting and revenue closing timelines increase the cost of downtime, potentially increasing the likelihood that a victim will engage and pay a ransom.
The most active groups this quarter were Qilin, Akira and Sinobi, followed closely by incRansom and Cl0p.
Ransomware activity as a whole continues to climb. The continued digitization of critical business processes has expanded the attack surface while Inconsistent security maturity across organizations continues to provide attackers with a steady pool of vulnerable targets.
Ransomware Groups
The ransomware ecosystem remains highly concentrated. While dozens of names appear across the year, a relatively small number of well-resourced groups account for a disproportionate share of global activity. In practice, some groups drive volume through frequent, lower-profile intrusions executed repeatedly, while others prioritize fewer but more disruptive operations that generate brand recognition and media attention.
Qilin, Akira, and Sinobi illustrate different paths to operational success.
Both Qilin and Akira’s position reflects high-volume campaigning and mature infrastructure that supports wide affiliate reach. While Sinobi, despite lower public notability, rose through persistent targeting of small to medium enterprise, demonstrating how they can produce substantial impact without constant high-profile exposure.
Group Numbers
This quarter saw a drop in the number of active groups observed, down from 77 in Q3 to 71 in Q4. This is still higher than the end of year figure for 2024 of 66 groups however. The number of attacks has increased, so this may hint towards a consolidation of attackers or a shift favouring larger and more accessible RaaS models like what Qilin and IncRansom offer.
Threat Spotlight: Sinobi
Sinobi emerged in mid-2025 as a financially motivated ransomware group and quickly established itself through consistent activity rather than high-profile attacks.
Sinobi typically gains initial access through exposed remote services, stolen credentials, and unpatched perimeter devices. Once inside a network, the group prioritizes rapid lateral movement and data exfiltration before deploying ransomware, favoring double-extortion over prolonged dwell time.
Manufacturing and healthcare have been Sinobi’s most heavily targeted industries, reflecting their low tolerance for downtime and regulatory exposure. Construction and technology formed a secondary tier, aligning with Sinobi’s focus on complex environments with uneven security maturity.
Cost of a Data Breach
Between 2020 and 2025, IBM’s Cost of a Data Breach data shows a persistent and widening cost disparity between the United States and the global average. Over this six-year period, the average cost of a breach in the U.S. rose from $8.64 million to $10.22 million, By contrast, the global average increased more modestly and has remained consistently below $5 million.
This divergence highlights several structural factors affecting U.S. breach costs, including stricter regulatory exposure, higher litigation and settlement expenses, and greater per-record costs associated with sensitive data types.
In 2023, Sophos reported that the average cost to recover from a ransomware attack was $1.82M, which rose to $2.73M in 2024. This increase coincided with longer recovery times, greater system disruption, and more complex extortion tactics observed during that period. In 2025, however, the average recovery cost declined to $1.53 million, suggesting measurable improvements in organizational resilience, backup strategies, and incident response effectiveness.
For threat actors, the data confirms that U.S. organizations remain high-value targets due to the outsized financial consequences of successful intrusions. For defenders, the trend emphasizes the importance of preventive controls, rapid detection, and incident response maturity.
Together, this illustrates a layered cost structure. Ransomware recovery expenses represent only a portion of total breach impact, yet they remain substantial and highly sensitive to changes in preparedness, tooling, and response speed. As breach costs continue to climb faster in the U.S. than globally, the business case for investment in security automation, resilience, and zero-trust architectures is an increasingly compelling argument.
Industry
Ransomware and data extortion activity in Q4 2025 continues to show strong concentration across a consistent set of high-risk industries, with limited change from previous reporting periods. Manufacturing remains the most affected sector, reflecting its ongoing exposure due to operational technology dependencies, complex supply chains, and limited tolerance for downtime. This sector has consistently ranked at or near the top in prior periods and continues to experience sustained targeting.
Technology and healthcare again feature prominently, reinforcing their status as priority targets. Technology organizations remain attractive due to the concentration of sensitive data, intellectual property, and downstream access to customer or partner environments. Healthcare continues to face elevated risk as operational disruption can have immediate consequences, increasing attacker leverage even when ransom payments are not guaranteed.
From an annual perspective; Manufacturing and technology lead in total attack volume by a wide margin, followed by Healthcare as the third most affected industry.
Geographic
Globally, ransomware continues to be prevalent regardless of location, affecting most of the Americas, Europe and a large portion of Asia.
40% of all attacks were focused against US based organizations with 970 observed attacks in Q4 and 3403 in total for the year. In contrast to this, organizations based in Canada came in as the second most affected with 107 in Q4 and 361 in 2025 overall, followed by Germany France and the UK. These countries combined accounted for only 15% of the observed attack volume vs the 40% of the US alone.
Overall, this shows that ransomware activity was geographically widespread but disproportionately concentrated to a limited number of highly digitized and economically significant countries.
AI
The adoption of artificial intelligence (AI) by cybercriminals continued to accelerate throughout 2025, acting primarily as a force multiplier rather than a source of fundamentally new capabilities. Importantly, AI has not raised the skill ceiling for advanced threat actors.
Highly capable groups still rely on human expertise for exploit development, operational planning, and ransom negotiations. Instead, AI has lowered the barrier to entry, enabling less experienced actors to participate more effectively in ransomware and data extortion campaigns. AI continues to be incrementally integrated into existing workflows, amplifying capabilities that were already known and central to modern ransomware campaigns.
One of the most visible applications of AI is in social engineering and phishing. Large language models enable threat actors to rapidly generate high-quality, context-aware lures tailored to specific industries, roles, or organizations. This has reduced the effort required to produce convincing emails, support messages, or negotiation communications, while increasing success rates for credential harvesting and malware delivery. AI-generated content has also lowered language and cultural barriers, allowing campaigns to scale globally with minimal localization effort.
OpenAI continues to expand defensive cybersecurity capabilities designed to support security teams in identifying and mitigating risk more effectively. These tools enable faster code review, vulnerability discovery, and remediation, helping defenders respond more quickly to emerging threats. As OpenAI has stated, “Our goal is for our models and products to bring significant advantages for defenders, who are often outnumbered and under-resourced.”
Conclusion
Through the end of 2024 and into 2025, ransomware activity has reached historically high levels. The continued digitization of critical business processes has expanded the attack surface, while inconsistent security maturity across industries provides attackers with a steady pool of vulnerable targets. At the same time, the availability of individual components (Initial access brokers, negotiators, and data-leak platforms) has improved operational efficiency and reduced the operational risk for attackers. Uneven law enforcement pressure further limit deterrence which allows many groups to operate with relative impunity, and mature monetization infrastructure continues to lower barriers for threat actors
Geographically, activity remains heavily skewed toward economically developed regions, with the United States continuing to represent the primary target due to its digital footprint, regulatory environment, and financial exposure.
The increasing use of artificial intelligence further reinforces these dynamics. AI has not raised the upper bound of attacker sophistication, which remains defined by human expertise, but it has significantly lowered the barrier to entry. By automating social engineering, reconnaissance, data analysis, and victim communications, AI enables less experienced actors to operate more effectively and at greater scale.
Despite some improvements in recovery efficiency, breach costs continue to rise, especially in the United States, extending costs beyond ransom payments to include operational disruption, legal exposure, and long-term reputational damage. Together, these trends indicate that ransomware will remain a persistent and economically viable threat despite the significant improvements in defensive maturity, international coordination, and disruption of the ransomware ecosystem.
