What Can We Learn from the Q3 Ransomware Research Report?

The latest Q3 ransomware research report reveals a simple truth: Ransomware is not slowing down. And it’s evolving. Attacks increased in number last quarter, while threats became more fragmented and sophisticated.

Understand these ransomware trends and patterns, and you can better prepare rapid cybersecurity incident response systems to defend your business.

TL;DR: Highlights from the Q3 Ransomware Report

• 1,529 ransomware attacks were recorded in Q3 2025, a 2.7% increase from the previous quarter.
• Five groups (Qilin, Akira, IncRansom, Play, DragonForce) drove 40%+ of all activity.
• Data extortion and token-based persistence surpassed traditional encryption tactics.
• SharePoint exploits and OAuth abuse emerged as dominant access methods.
• Identity-aware MDR and affiliate-level detection are critical for faster containment and resilience.

How Many Ransomware Attacks Happened in Q3 2025?

The numbers tell a clear story. And while a 2.7% increase (up to 1,529 attacks) may seem small, it signals a dangerous trend: Scalable growth.

With 77 active groups (up from 66 just nine months prior), the ransomware ecosystem and number of actors at play expanded. This fragmentation fuels scale through the affiliate model. More groups mean more attacks.

The other nuance was the “how.” Data extortion is now more common than encryption. Attackers are bypassing the lock-and-key approach (e.g., by encrypting an entire server until they get paid). Instead, they simply steal your data and threaten to leak it.

Which Ransomware Groups Were Most Active?

Another interesting find was the concentration of the attacks. The top five ransomware groups (Qilin, Akira, IncRansom, Play, and DragonForce) were responsible for 43.6% of all incidents. And leading the way was Qilin. They launched 230 attacks across five major sectors: Manufacturing, Technology, Construction, Healthcare, and Finance.

Qilin’s broad targeting strategy reflects how ransomware operations have matured. Instead of specializing in one industry, affiliates focus on disrupting essential, data-rich sectors where downtime tolerance is low and negotiation pressure is high. Their double-extortion model, encrypting systems while stealing sensitive information, creates multiple levers for coercion.

This highlights the efficiency of the affiliate model. Core groups develop the infrastructure and ransomware tools, while “affiliates” carry out the attacks. The model lets groups launch fast, scalable attacks against various targets because everyone focuses on their specialized role.

What Tactics Defined Ransomware Attacks This Quarter?

Advanced, stealthy tactics defined the Q3 ransomware report. Adversaries moved beyond traditional malware and focused more on “living off the land” via trusted tools. For instance:

• OAuth token abuse: Particularly targeting platforms like Salesforce, the most common method was attackers stealing or manipulating legitimate tokens to gain access.
• CVE-2025-61882 and ToolShell exploit: They’d weaponize the SharePoint vulnerability for entry, then use ToolShell to run malicious scripts (staying under the radar).
• SaaS persistence: Attackers embedded themselves within cloud apps and created backdoors without being seen by endpoint security tools.
• Token forgery: They’d craft fraudulent authentication tokens for broad cloud access.
• Pure data theft: Simple stealing of sensitive customer and IP data from servers.

A major change? Many campaigns were encryption-optional. In other words, the mere threat of exposure was enough to extort payment.

How Can Organizations Strengthen Defenses After the Q3 Ransomware Report?

The Q3 ransomware report is a call to action. Defense is no longer about stacks of alerts. It’s about containment speed and minimizing the blow.

• Prioritize response-first MDR: Choose an MDR partner who can automate containment in minutes, not hours. And it can’t just focus on endpoints; it also needs to provide visibility into all identity and SaaS apps to see the whole attack chain.
• Hunt for affiliate TTPs: Move beyond generic IoCs. Hunt for the specific techniques these top ransomware groups use today.
• Practice tabletops: Run exercises not just on basic network breaches, but also on supply chain and SaaS application compromises.
• Track containment: Measure what matters. Containment speed and exfiltration prevention are your best path to cyber resilience.

Preparing for What’s Next: Insights from the Q3 Ransomware Report

Ransomware is evolving fast, but so can your response. A response-first MDR can prepare your SOC for the rise in identity-based attacks and data extortion.
Want the complete tactical breakdown of last quarter’s attack activity? Download CyberMaxx’s full Q3 Ransomware Risk Report today.

FAQ: Q3 Ransomware Report

How many ransomware attacks did the U.S. face in Q3 2025?

The U.S. remained the most targeted country, facing hundreds of attacks during Q3 (around 600-800).

Based on the CyberMaxx Q3 Ransomware Research Report, however, the global total reached 1,529.

What’s the difference between data extortion and encryption-based attacks?

Encryption locks your data. Data extortion involves stealing and threatening to publish it. Extortion is now the preferred ransomware tactic.

Why are there more ransomware groups now than before?

The affiliate model has created a sophisticated supply chain for cyber attacks. Labor is specialized. Some groups create ransomware tools while others deploy them. Thus, there’s a lower barrier to entry and, therefore, more groups.

What are the most critical metrics for evaluating incident response?

Containment metrics, such as mean time to respond (MTTR), show how effectively you can detect and contain ransomware. The faster you respond, the lower the impact and breach costs.

Read the full report now.