6,635 confirmed ransomware attacks. One year. That’s 552 attacks per month on average, or ~18 attacks daily.
That’s how busy the ransomware ecosystem was in 2025 — and attackers didn’t just scale activity. They evolved. New groups entered the ecosystem. Established operations accelerated. Entire industries absorbed repeated disruption. And AI-related risk made the shift from theory to boardroom concern.
Throughout 2025, ransomware gangs increased the speed and scale of their operations. Ransomware continued to grow as a durable, industrialized ecosystem built on specialization, shared infrastructure, and rapid regeneration rather than any single brand. Law enforcement pressure and infrastructure seizures disrupted major operations, driving fragmentation, rebranding, and intensified competition across a more fluid landscape.
Top Groups and Those to Watch in 2026
The most prolific ransomware operators in 2025 were distinguished not by technical sophistication but by operational maturity, affiliate discipline, and the reliability of their extortion infrastructure. These are the ones who stole the show:
• Qilin
• Akira
• Play
• INC Ransom
• Lynx
Beyond established groups, more than 45 new groups demonstrated capabilities that warrant attention, including:
• DragonForce
• SafePay
• Fog
• The Gentlemen
Top 2025 Trends
Dwell Time Compression and Rapid Intrusion Execution: Ransomware operations were significantly faster compared with 2024. Dwell time continued to compress through 2025, with intrusion timelines collapsing from days to hours in the fastest-moving cases, leaving little to no effective response window once access was established.
Attack Timing Aligned to Reduced Defensive Coverage: Ransomware gangs continued to attack when targeted entities’ security teams were less likely to respond, with 69% of observed attack attempts occurring outside business hours. Temporal analysis shows attackers deliberately timing operations for nights and weekends due to limited monitoring; late evening was the most common execution window.
Defense and Security Bypass Became Standard: Most attempted attacks observed in 2025 deliberately sought to evade or impair organizations’ defensive and security tooling, including Endpoint Detection and Response (EDR). These ransomware attempts most occurred after endpoint controls were bypassed or degraded, with tens of thousands of EDR bypass and suppression events detected over the year.
Expansion of Bring Your Own Vulnerable Driver (BYOVD) and Kernel-Level Defense Evasion: Detections further shows continued expansion of BYOVD abuse as a post-compromise technique to achieve kernel-level control and bypass endpoint detection and response mechanisms. Signed but vulnerable drivers were leveraged to escalate privileges, disable or impair EDR and other endpoint protections, and operate below user-mode visibility, increasing attacker ability to undermine endpoint integrity and evade detection.
Disproportionate Impact on Small and Midsized Organizations (SMB): Small and midsized organizations faced a disproportionate share of ransomware risk throughout 2025, driven primarily by access economics and resource constraints. Halcyon data shows ransomware gangs targeted SMBs at nearly four times the rate of large organizations. Observations reflect a high concentration of ransomware activity targeting SMBs where dedicated security staffing is limited, security responsibilities are often combined with general IT functions, and visibility is uneven across identity, remote access, and endpoint activity. These characteristics make SMB environments more accessible and less resilient to sustained intrusion activity.
State and Criminal Activity Blur: In 2025, we saw continued overlap between nation state and criminal ransomware campaigns. Cybercriminal tactics offer nation-state actors several advantages. They are fast, scalable, and highly repeatable. They exploit common weaknesses in remote access, identity systems, and virtualization platforms that exist across nearly every critical environment. And critically, they complicate attribution, allowing attackers to operate below traditional response thresholds.
Shift From Group Branding to Access-Driven Ransomware Ecosystems: In 2025, ransomware gangs continued to fragment, rebrand, and operate in smaller, less stable configurations following successful law enforcement takedowns and infrastructure disruptions that degraded major ransomware operations. Throughout the year, more than 70 new gangs emerge as well as increasingly inconsistent leak-site behavior across campaigns. These conditions complicate attribution as affiliates bring similar tactics to new groups, and it becomes increasingly difficult to initially determine the validity of new groups’ claims.
Repeated Targeting of IT/OT and Critical Service Environments: Information technology (IT)/operational technology (OT)-adjacent environments remained high-value ransomware targets due to structural constraints that amplify the impact of disruption once access is obtained. Organizations operating manufacturing processes, industrial systems, and critical infrastructure often rely on tightly coupled IT and OT environments where compromise of identity, remote access, or management systems can cascade rapidly into operational outages. In these settings, downtime pressure escalates quickly due to safety considerations, regulatory obligations, and service continuity requirements, increasing attacker leverage and payment pressure.
Geographic Distribution: Ransomware activity in 2025 remained heavily concentrated in North America and Western Europe, which together accounted for the majority of observed ransomware operations during the year. The United States alone represented over half of prevented ransomware activity. These regions also exhibited higher rates of after-hours execution and repeated intrusion attempts.
Industry Distribution: Ransomware gangs in 2025 targeted industries where downtime pressure, operational interdependence, and recovery constraints created strong extortion leverage. The most frequently targeted industry was manufacturing, accounting for roughly one-fifth of observed ransomware activity, followed by business services and construction. While finance, energy, transportation, and retail represented a smaller share of total incidents.
Tactics, Techniques, and Procedures
Ransomware attackers in 2025 consistently prioritized access, identity control, and operational speed, leveraging trusted administrative tooling, a narrow set of high-impact perimeter vulnerabilities, and living-off-the-land (LotL) techniques to compress timelines and reduce detection.
In particular, 78% of observed incidents involved attackers attempting to exploit legitimate remote monitoring and management (RMM) tools. Ransomware gangs view remote tools as low-friction access mechanisms because they are commonly pre-installed, broadly trusted, and capable of full remote administrative control.
Remote tool abuse was highly concentrated, with ConnectWise ScreenConnect, AnyDesk, and Splashtop accounting for 89% of observed RMM-related ransomware activity. Observed activity shows remote tooling used not only for initial hands-on-keyboard access, but also to maintain persistence, re-enter environments after credential harvesting, and accelerate lateral movement following automated enumeration. Even when remote tools were installed by attackers, their activity often went undetected.
Ransomware operators in 2025, most commonly exploited vulnerabilities focused on a small number of perimeter technologies, including VPN appliances, remote management interfaces, and edge services that are broadly deployed and inconsistently patched. This concentration enabled fast intrusion timelines, repeatable execution, and simultaneous compromise across multiple environments sharing the same exposed services.
Outlook for 2026
As we move further into 2026, the most common attack paths are likely to stem from gaps in identity governance, exposed internet-facing systems, weak oversight of remote access and management tools, and critical environments that lack layered, defense-in-depth protections. Ransomware gangs’ incorporation of AI and continued targeting of upstream providers and attempts to evade further disruptions increase the potential for more, and more sudden, attempted attacks. Also ransomware gangs are shifting to pure exfiltration over encryption.
Organizations that prioritize containment and recovery will more successfully navigate these attempts rather than organizations that prioritize prevention alone. Assume your EDR will be bypassed.
Cyber resilience is the main topic on the CISO agenda for 2026.
Click Here For The Original Source.
