- The number of ransomware victims showing up on dark web leak sites shot up by 30% in 2025, hitting almost 7,500.
- Currently, there are 124 active ransomware groups out there, and 73 of them are new ones that just popped up last year.
- With AI tools getting better, it’s empowering cybercriminals; even beginners can launch serious attacks these days.
Searchlight Cyber just released a new report, and it shows there’s been a serious increase in ransomware attacks, twice as much as was seen in 2023 and 2024. Ransomware crews posted 7,458 victims on dark websites in 2025; that was a 30% increase from the previous year.
The second half of the year alone saw 93 active groups, and 38 were fresh entrants. The report also revealed that there were 124 active ransomware crews, and of that number, 73 just entered the game.
Ransomware Getting More Severe
Qilin climbed to the top as the most prolific group. The number of victims the group posted surged by a remarkable 420% year-over-year.
Like crime syndicates expanding into a larger region, cybercriminals have developed supergroups in order to increase the scale of their criminal activity. Groups like Scattered Lapsus$ Hunters pool specialized talents to pull off bigger heists.
AI is basically throwing gasoline on the fire. Just about anyone, tech-savvy or not, can grab these new tools and crank out their own malware. Phishing is earlier, too. Criminals can automate attacks and pump out phishing emails that look so real, you’d probably click the link yourself.
And AI doesn’t just help with the break-in; it also sifts through all the stolen data in minutes, not weeks. Some groups even use it to handle negotiations with victims, making the entire process faster and way more dangerous.
Why Traditional Security Tools aren’t Helping
Law enforcement pressure isn’t stopping the tide. Despite global police operations taking down major groups, the ecosystem remains “devastatingly effective”, according to Luke Donovan, Searchlight Cyber’s head of threat intelligence.
But while the number of attacks continues to rise, there is a silver lining: a global crackdown showed measurable impact as ransomware payments plummeted by 35% in 2024, suggesting that when law enforcement disrupts payment infrastructure and pursues financial channels, even resilient criminal networks feel the pinch.
Cybercriminals no longer stick together like they used to. They’re now breaking off into smaller, trickier groups, and tracking those is a lot tougher. The threat landscape feels more complex than it ever was.
Third-party software still stands out as a big weak spot. Attackers are weaponizing flaws in software supply chains faster than companies can patch them. Security experts call this ‘Shadow Exposure’ — the risk hiding in tools you didn’t even know your vendors used.
What Organizations Get Wrong
The usual suspects are still causing most of the damage. Insider threats, whether from current or former employees, top that list. Process failures like not enabling multi-factor authentication and failure to fix security holes are other areas where many firms get it wrong.
Initial Access Brokers are doing the dirty work for hire. These specialists pounce on remote desktop protocol vulnerabilities and compromised VPN accounts. They then sell that access to ransomware groups, creating a professionalized criminal supply chain.
Luke Donovan offers a blunt reality check. According to him, though there was a very small reduction in the number of victims in the second half of the year, we shouldn’t count it as a victory. The game has changed, and not in the defenders’ favor.
The Way Forward
It’s not advisable to do nothing and just sit waiting until law enforcement swoops in to save you. Police crackdowns help, but based on what we’ve observed these days, that alone won’t solve the problem.
Preemptive defense is the name of the game now. Organizations must maintain constant visibility into their networks. They need to spot and fix exposures before attackers weaponize them.
The goal is simple but challenging. “The only way to truly win is to ensure you aren’t an eligible target in the first place,” Donovan added.
For businesses, this means treating ransomware prevention like home security. You don’t wait for burglars to try your door; you lock it, install lights, and make your house the least inviting one on the block.
