The past year was much quieter than 2024 in ransomware takedown and anti-cybercrime law enforcement operations.
Additionally, less organized collectives such as Scattered Spider, Lapsus$ and ShinyHunters grabbed many of the headlines in 2025.
However, traditional ransomware syndicates continued to be active throughout the year.
According to ransomware tracking website Ransomware.live, 306 groups were active over the past year, listing 7902 victims at the time of writing. This is significantly higher than the 6129 victims listed in 2024 and the 5336 victims listed in 2023.
However, these statistics are based solely on listings from data leak sites and could misrepresent the true scale of attacks, as many incidents go unreported or undetected and some claims by ransomware groups are false.
Qilin, the group that claimed the cyber-attack on brewing giant Asahi in September, was the most prolific ransomware group, with 1001 victims listed on its data leak site according to Ransomware.live and 973 according to competitor RansomLook.
Both ransomware intelligence websites put Akira as the group with the second most victims claimed, while Clop took the third place.
Ransomware groups were the most active in February of 2025, with 1014 claims in the shortest month of the year, while June had the least victims claimed at 502.
RansomLook’s analysis showed that the Russian-linked ransomware group Clop was particularly active in the first quarter of 2025, activity then slowed during the summer months until a small peak of activity around October. Meanwhile, Qilin and Akira showed consistent activity throughout the whole year with less peaks and troughs.
US Ransomware Victims Made Half of 2025’s Total
In 2025, ransomware groups targeted a wide range of industries, with Ransomware.live reporting victims for at least 10 sectorial categories.
The highest number of victims came from the manufacturing sector (930), followed by technology (893) and healthcare (529).
The geographical breakdown, however, was less balanced, with US victims representing almost half of the total number of ransomware group-listed victims in 2025 (3328).
The second most targeted country, Canada, represented a far lower number with 358 listed victims over the past year. Germany had 318, the UK 251 and France, 172.