Ransomware attacks surged in 2025, with publicly disclosed incidents increasing by 49% year-on-year to a record 1,174 cases, according to BlackFog’s latest State of Ransomware report. The analysis highlights significant ransomware activity that often escapes official disclosures; BlackFog identified a 37% rise in undisclosed attacks from 2024 to 2025, based on victims named by ransomware groups on dark web leak sites.
The report estimates that approximately 86% of ransomware attacks go unreported, revealing a stark contrast between publicly disclosed incidents and victims listed by attackers, which numbered 7,079 in 2025. Publicly disclosed incidents have reached their highest level in BlackFog’s dataset, escalating nearly fourfold from 2020.
Ransomware activity in 2025 involved a diverse array of operators, with 130 groups conducting attacks throughout the year, including both established and emerging players. The report noted the emergence of 52 new groups, marking a 9% increase compared to 2024. This rapid turnover illustrates the dynamic nature of the ransomware ecosystem, where groups frequently rebrand, split, or adopt new tools and affiliate models.
Among the named groups, Qilin emerged as the most active, claiming 1,115 victims in both disclosed and undisclosed incidents. Akira was second in disclosed attacks and third in undisclosed activity, tallying 776 total recorded attacks. Play ranked third for disclosed attacks, while INC was second in undisclosed activity, with 66 claimed victims.
Significantly, 2025 saw the emergence of large-scale, AI-enabled attacks. BlackFog cited an incident where attackers hijacked Anthropic’s Claude model to autonomously conduct reconnaissance, exploitation, and data theft. This incident is framed as a groundbreaking AI-led cyberattack, reflecting a shift in attacker priorities towards speed, scale, and stealth rather than outright disruption.
Retail brands such as M&S, Cartier, and Chanel faced increased targeting in 2025, while the healthcare sector remained the most affected, accounting for 22% of all disclosed ransomware attacks. The services industry experienced the steepest increase, with an alarming 118% year-on-year surge in attacks. Most sectors saw higher attack volumes, except for education, which saw a 12% decline in attacks.
The report presents ransomware as a global threat rather than a regional issue, impacting organizations in 135 countries—69% of countries worldwide. The United States remained the primary target, accounting for 58% of recorded attacks, followed by Australia with 110 and the UK with 42 attacks. For undisclosed activity, the U.S. again led with 3,768 incidents, while Canada and Germany accounted for 6% and 4%, respectively. BlackFog noted particularly intense targeting, highlighting Qilin’s sustained campaign against South Korean organizations as one of the year’s most concentrated national attacks.
The findings underscore the escalating evolution of ransomware groups, which increasingly combine encryption with data theft and extortion. Dr. Darren Williams, founder and CEO of BlackFog, emphasized the pervasive nature of the problem, stating that ransomware does not discriminate by organization size or sector. “The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn’t respect borders,” he said.
Dr. Williams also pointed to the growing concerns surrounding data theft and the use of artificial intelligence by attackers. “Yet the disruption they cause is only part of the story. Attackers aren’t just breaking in—they’re intent on stealing data to power extortion. By weaponizing AI, they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures,” he added. The report draws on anonymized data collected from the BlackFog Console throughout 2025, offering a comprehensive view of the evolving ransomware landscape.
See also
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
Quantum Computing Threatens Current Cryptography, Experts Seek Solutions
Anthropic’s Claude AI exploited in significant cyber-espionage operation
AI Poisoning Attacks Surge 40%: Businesses Face Growing Cybersecurity Risks
