A new report out today from ThreatDown, the corporate business unit of Malwarebytes Inc., finds that ransomware attacks jumped 25% year-over-year between July 2024 and June 2025, making it the most active 12-month period on record.
The ThreatDown 2025 State of Ransomware report found that February 2025 alone saw more than 1,000 incidents, the highest monthly figure ever recorded. It details an increasing fragmentation in the ransomware ecosystem, with 41 new groups appearing during the period, bringing the number of active known gangs to more than 60 for the first time.
Not surprisingly, the U.S. continued to be the hardest-hit country, with 47% of known attacks, but 42 countries also reported their first ransomware incidents, showing the spread of attacks far beyond traditional targets in the U.S. and Western Europe.
Topping the list of sectors being targeted was healthcare, with recent attacks causing both human and economic tolls. In June in the U.K., a ransomware incident at Synnovis Ltd. delayed critical blood tests and contributed to one of the first officially recognized patient deaths linked to ransomware. In the U.S., Frederick Health Health System Inc. and McLaren Health Care Corp. saw nearly 1.7 million patient records exposed across two major breaches.
Who was behind the attacks was also found to have changed over the 12 months to the end of July.
Following the demise of LockBit and ALPHV, RansomHub emerged as the top ransomware gang but then disappeared less than a year later after first emerging, with its leak site and negotiation portals not being updated since March. Meanwhile, the Cl0p ransomware group made a return in late 2024 and returned with a bang, carrying out hundreds of attacks in just a few months, including 335 victims in February alone.
Attackers were found to continue to favor operating at night and exploiting legitimate system tools in “living off the land” campaigns, but new patterns were also found to have emerged. New patterns include exploiting firewall vulnerabilities in Fortinet Inc. and SonicWall Inc. products, taking advantage of absent or poorly managed backups and leveraging blind spots such as unprotected servers, shadow information technology devices and outdated operating systems.
“Ransomware isn’t just a security problem, it’s a profound business and human crisis,” said Marcin Kleczynski, founder and chief executive officer at Malwarebytes. “The escalation has led to severe real-world consequences, including compromised patient data, significant financial losses and even human casualties. There is a critical need for constant vigilance as attackers become scrappier and more adaptive.”
The report concludes by arguing that combating today’s threat landscape requires more than traditional endpoint detection, calling for always-on managed detection and response services to help security teams detect, contain and remediate attacks at high speed.
Image: SiliconANGLE/Reve
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
