Ransomware Attacks Skyrocket 58% in 2025, Setting New Records
New Threat Reports from GuidePoint and Symantec Reveal Record-Breaking Ransomware Activity in 2025
Related Entities(initial)
Organizations
Full Report(when first published)
Executive Summary
Threat intelligence reports from GuidePoint Security and Symantec have confirmed that 2025 was a landmark year for ransomware, with attack volumes surging to unprecedented levels. GuidePoint's research indicates a 58% increase in victims compared to 2024, culminating in a record-breaking December with 814 claimed attacks. The data shows that law enforcement disruptions against major groups like LockBit (Syrphid) and RansomHub had only a temporary effect, as the flexible affiliate-based model allowed attackers to quickly pivot to new or emerging Ransomware-as-a-Service (RaaS) platforms. The Qilin and Akira groups rose to prominence, becoming the most prolific operators. The United States continued to be the most targeted nation, and the manufacturing industry bore the brunt of these attacks.
Threat Overview
The key trend of 2025 was the resilience and adaptability of the ransomware ecosystem. The RaaS model enables a fluid marketplace where skilled affiliates (attack operators) can switch allegiances to whichever RaaS platform offers the best tools and profit-sharing. When LockBit's infrastructure was disrupted, its affiliates did not cease operations; they simply migrated to other groups.
Qilin emerged as a particularly aggressive and successful group, with GuidePoint noting it became the most active group they have ever tracked, even surpassing LockBit's peak activity. Akira also maintained a high operational tempo. Together, these two groups accounted for 16% of all attacks in 2025 according to Symantec.
The reports also highlight a diversification of extortion tactics. While data encryption remains a core component, pure data theft extortion—where attackers steal data and threaten to leak it without deploying encryption—is growing. This tactic targets organizations with robust backup strategies, as the threat is purely reputational and financial rather than operational.
Key Statistics for 2025:
- 58% year-over-year increase in claimed victims (GuidePoint).
- 814 attacks in December 2025, the most active month on record.
- 55% of all victims were located in the United States.
- Top Targeted Industries: Manufacturing (14%), Technology (9%), Retail/Wholesale (7%).
Technical Analysis
The TTPs of dominant groups like Qilin and Akira are well-documented and follow a common enterprise ransomware pattern:
Initial Access: Affiliates use a variety of methods, with compromised credentials for VPNs and other remote services being a primary vector (
T1078 - Valid Accounts). Exploitation of public-facing applications, particularly in networking devices and virtualization software, is also common (T1190 - Exploit Public-Facing Application).Credential Access & Discovery: Once inside, attackers use tools like Mimikatz to dump credentials and move laterally. They perform extensive network discovery to identify domain controllers, backup servers, and high-value data stores.
Defense Evasion: A key step is disabling or tampering with security software. Attackers use scripts to stop services associated with EDR and antivirus products (
T1562.001 - Disable or Modify Tools).Impact: Before deploying the ransomware payload (
T1486 - Data Encrypted for Impact), attackers exfiltrate large volumes of sensitive data (T1041 - Exfiltration Over C2 Channel) to enable the double-extortion threat.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1133 |
External Remote Services |
| Credential Access | T1003 |
OS Credential Dumping |
| Defense Evasion | T1562.001 |
Disable or Modify Tools |
| Lateral Movement | T1021.001 |
Remote Desktop Protocol |
| Exfiltration | T1041 |
Exfiltration Over C2 Channel |
| Impact | T1486 |
Data Encrypted for Impact |
Impact Assessment
The record-breaking surge in ransomware has profound economic and societal impacts:
- Economic Drain: Billions of dollars are lost annually to ransom payments, recovery costs, and lost productivity. The manufacturing sector's targeting disrupts physical supply chains, causing cascading economic effects.
- Threat to Critical Services: Attacks on healthcare, government, and critical infrastructure put public safety at risk.
- Data Breach Proliferation: The double-extortion model means that every ransomware attack is now also a data breach, exposing vast amounts of corporate and personal information on the dark web.
- Cyber Insurance Strain: The high frequency and cost of attacks are driving up cyber insurance premiums and making coverage harder to obtain, placing more financial strain on businesses.
Detection & Response
- Behavioral Detections: Focus on detecting attacker behaviors rather than just malware signatures. Use an EDR to alert on credential dumping attempts, lateral movement via RDP/SMB, and the disabling of security tools. This aligns with Behavior Prevention on Endpoint (M1040).
- Network Monitoring (D3-NTA): Implement Network Traffic Analysis to detect data exfiltration. Monitor for large, unexpected outbound data flows, especially to cloud storage services or unknown IP addresses.
- Active Directory Security: Monitor AD for signs of compromise, such as the creation of new admin accounts, changes to group policies, or Kerberoasting attempts. This is a form of Domain Account Monitoring (D3-DAM).
Mitigation
Combating the industrialized ransomware threat requires fundamental security hygiene and modern defenses.
Secure Remote Access (M1032): Enforce phishing-resistant Multi-factor Authentication (D3-MFA) on all VPNs and remote access points. This is the single most effective control against credential-based intrusions.
Patch Management (M1051): Aggressively patch internet-facing systems and critical vulnerabilities. Ransomware groups are quick to weaponize new exploits.
Immutable Backups: Implement a 3-2-1 backup strategy with at least one copy offline or immutable. Regularly test your restoration process to ensure you can recover without paying the ransom.
Privileged Access Management (M1026): Implement PAM solutions and a tiered administrative model to limit the scope of privileged accounts. This contains the damage if an admin account is compromised.
Timeline of Events
Article Updates
January 19, 2026
New report highlights a 93% surge in supply chain attacks in 2025, with ransomware groups leveraging them for mass deployment, significantly increasing the overall threat landscape.
Update Sources:
MITRE ATT&CK Mitigations
Multi-factor Authentication
The most effective defense against initial access via compromised credentials for VPNs and other remote services.
Mapped D3FEND Techniques:
Behavior Prevention on Endpoint
Using EDR to detect and block malicious behaviors like credential dumping and disabling security tools can stop an attack before encryption.
Mapped D3FEND Techniques:
Update Software
Reduces the attack surface by closing vulnerabilities that ransomware affiliates are quick to exploit.
Mapped D3FEND Techniques:
Network Segmentation
Contains the blast radius of a ransomware attack, preventing it from spreading across the entire enterprise.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
Given that compromised credentials for remote services remain a top initial access vector for ransomware groups like Qilin and Akira, implementing phishing-resistant Multi-factor Authentication is the highest-priority defense. This should be enforced across all external remote services (VPNs, RDP gateways, Citrix) and for all user accounts, especially privileged ones. The goal is to make a stolen password useless on its own. Organizations should prioritize FIDO2/WebAuthn hardware tokens over less secure methods like SMS or push notifications, which are susceptible to MFA fatigue attacks. This single control dramatically hardens the perimeter against the most common entry point for ransomware affiliates.
To detect ransomware activity post-compromise, security teams must leverage Process Analysis via an Endpoint Detection and Response (EDR) tool. Create specific detection rules for common ransomware TTPs. For example, monitor for powershell.exe spawning a process that attempts to access lsass.exe, a clear indicator of credential dumping. Alert on the execution of commands like vssadmin.exe delete shadows or wbadmin.exe delete catalog, which are used to destroy backups. By focusing on these malicious behaviors rather than file signatures, defenders can identify and terminate a ransomware attack chain before the final encryption stage, regardless of the specific malware variant used.
To limit the 'blast radius' of a successful ransomware intrusion, organizations must implement robust Network Isolation, or segmentation. Assume that an attacker will eventually breach the perimeter. A flat network allows them to move laterally with ease. Instead, segment the network into zones based on business function and data sensitivity (e.g., user workstations, production servers, development environments, domain controllers). Enforce a default-deny policy at the internal firewalls separating these zones. For example, a user workstation should never be able to initiate an RDP connection directly to a domain controller. This containment strategy is critical for preventing a minor intrusion from escalating into a full-blown enterprise-wide ransomware event.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats