.png?width=1816&height=566&name=brandmark-design%20(83).png "Tech Channels - IT News, Resources & Insights")
The number of active ransomware groups reached an all-time high, while the growth rate of victims has doubled compared with 2024, according to new research from threat intelligence firm Searchlight Cyber.
Ransomware has been growing for years, but 2025 appears to mark a turning point. The once relatively concentrated cybercrime market has evolved into a sprawling ecosystem of specialized groups, tools, and partnerships that increasingly resemble a professional industry.
The Searchlight Cyber research shows just how rapidly the landscape is expanding.
“2025 was a record year for ransomware, driven by a professionalized ecosystem that remains devastatingly effective despite increased pressure from global law enforcement. While we saw a very slight dip in victim numbers in the second half of the year, this should not be interpreted as a victory,” researchers said in the H2 2025 ransomware report.
“The landscape continues to fragment; large monolithic syndicates are fracturing into smaller, agile cells, and with the number of active groups at an all-time high, the threat landscape has become more complex and difficult to track than ever before,” the findings show.
The report identifies 7,458 publicly disclosed ransomware victims in 2025, the highest number ever recorded. And that figure likely represents only a fraction of the real impact. Many incidents go unreported, and the ripple effects extend far beyond the organizations directly attacked. When ransomware operators steal data, the consequences often extend to customers, partners, and employees, whose personal information circulates on the dark web.
Geographically, the United States remained the primary target, accounting for 1,536 reported victims. Canada, Germany, and the United Kingdom followed, though at significantly lower levels. Yet the geographic distribution is less revealing than the overall trend: ransomware is no longer limited to certain sectors or regions. It has become a global criminal industry.
Searchlight identified 124 active ransomware groups in 2025, including 73 new groups that emerged during the year alone. Many of these appear to be splinter groups formed by members of existing cybercrime organizations. This fragmentation has created an increasingly competitive landscape. As new actors enter the market, they often seek victims more aggressively or adopt new techniques to differentiate themselves. We are noe witnessing cybercrime environment where attacks are both more frequent and more sophisticated.
A major reason for this rapid expansion is the continued growth of Ransomware-as-a-Service (RaaS) platforms. These operations function much like legitimate software businesses. Developers create ransomware tools and lease them to affiliates, who carry out attacks and share in the ransom payments. The Qilin group has emerged as the most prolific example of this model. By offering a ready-made ransomware toolkit that affiliates can deploy with minimal technical expertise, Qilin has significantly lowered the barrier to entry for cybercriminals. Another group, Akira, has also become a major player in the RaaS ecosystem. The model works because it mirrors legitimate platform economics: developers focus on building tools, while affiliates handle the “customer acquisition”; in this case, finding victims.
Another notable development in 2025 is the emergence of what analysts describe as ransomware “supergroups.” These collaborations bring together multiple cybercrime organizations that combine their skills to launch larger and more complex attacks. One prominent example involves Scattered Spider, LAPSUS$, and ShinyHunters, which reportedly collaborated on a shared ransomware operation.
The logic is simple. Pooling expertise allows groups to scale their operations and target organizations that might otherwise be too difficult for a single group to attack.
AI is also beginning to play a role in ransomware operations. Threat actors increasingly use AI tools to generate convincing phishing messages and automate social engineering campaigns. The result is a level of realism that makes fraudulent emails and messages far harder for employees to detect. In many cases, a single successful phishing email can provide attackers with the access they need to infiltrate corporate networks.
What once required deep technical expertise can now be executed using rented tools, shared infrastructure, and AI-assisted phishing campaigns. That shift has dramatically expanded the pool of attackers and accelerated the pace of attacks.
