ThreatDown News
Ransomware Attacks Surge 25% Year-over-Year as New Report from ThreatDown Reveals Alarming Global Expansion and Evolving Tactics
Annual report examines the critical need for proactive security hygiene to counter increasingly adaptive ransomware operations
SANTA CLARA, Calif, August 19, 2025 – ThreatDown, the corporate business unit of Malwarebytes, today released its “2025 State of Ransomware” report, revealing a significant 25% year-over-year increase in ransomware attacks from July 2024 to June 2025, with a historic peak of over 1,000 recorded incidents in February 2025 alone. The report highlights a rapidly expanding and fragmenting ransomware landscape, with 41 new groups emerging, active groups exceeding 60 for the first time, and 42 countries experiencing their first ransomware incidents during this period.
While ransomware continues to inflict human and economic tolls, the data also uncovers a positive development. The most significant tactical changes by ransomware groups are direct responses to advanced solutions like managed detection and response (MDR). Increased vigilance forces attackers to operate in the shadows – prompting them to rely on legitimate software instead of malware, target unprotected systems, and launch attacks outside of typical working hours to evade detection.
“Ransomware isn’t just a security problem, it’s a profound business and human crisis,” said Marcin Kleczynski, founder and CEO at Malwarebytes. “The escalation has led to severe real-world consequences, including compromised patient data, significant financial losses, and even human casualties. There is a critical need for constant vigilance as attackers become scrappier and more adaptive.”
Key findings include:
- Proliferation of groups: The number of active ransomware groups has doubled over the last three years, suggesting a lower barrier to entry due to commoditized malware and abundant AI tools. The landscape is fragmenting significantly, with the top ten groups now accounting for only 50% of attacks, down from 69% previously.
- Ransomware’s global reach: The United States remained the primary target, accounting for 47% of known attacks. However, ransomware continues to expand its geographical reach, with 42 previously unaffected countries experiencing their first-ever attacks in the last 12 months, marking a 46% increase in targeted countries over three years.
- Healthcare vertical under siege: The healthcare sector was a top target over the past 12 months, with attacks like the Synnovis incident and the McLaren Health Care breach disrupting critical services and exposing sensitive patient data across numerous hospitals.
- Volatility at the top: The ransomware “top tier” is in constant churn. Dominant groups emerge and disappear rapidly. Among the top 15 most active groups in the last year, most had little or no footprint at all in the previous year. Monthly volatility in ransomware attacks also increased 50% year-over-year, driven by stop-start behavior among the biggest groups.
“The complexity and velocity of modern ransomware attacks demand more than traditional endpoint detection and response,” said Kendra Krause, General Manager at ThreatDown. “Security teams must augment their capabilities with Managed Detection and Response to achieve the visibility, speed, and expertise required to detect, contain, and remediate advanced threats.”
Ransomware groups continue to use similar tactics highlighted in last year’s 2024 State of Ransomware report, such as attacking at night, when IT staff are less likely to be closely monitoring, and using legitimate system administration tools rather than malware to avoid detection – a tactic known as Living Off the Land (LOTL). Analysts have noticed new, concerning patterns over the past year – including reliance on blind spots to stage attacks on devices that are unknown to IT staff.
To read the full report, visit: https://www.threatdown.com/dl-state-of-ransomware-2025/. To learn more about the latest threats and cyber security strategies for businesses and the channel, visit threatdown.com or follow ThreatDown on LinkedIn and X.
