2025 Ransomware Report
How Ransomware Wars Threaten Third-Party Cyber Ecosystems
By the Black Kite Research & Intelligence Team (BRITE)
2025 Ransomware Report
How Ransomware Wars Threaten Third-Party Cyber Ecosystems
By the Black Kite Research & Intelligence Team (BRITE)
Ransomware Report Executive Summary
Ransomware Wars escalated between April 2024 and March 2025—not with more powerful enemies, but with more of them.
As dominant syndicates like LockBit and AlphV collapsed under global law enforcement pressure, the battlefield fractured. In their place, dozens of new, less coordinated ransomware groups emerged, waging unpredictable campaigns across a wider target base.
The number of publicly disclosed victims rose to 6,046, a 25% increase from the previous year. Small and mid-sized businesses (SMBs) became the new frontline. Attackers increasingly favored targets with $4M-$8M in revenue, where defenses are thinner and the risks of retaliation lower.
This year also saw a rise in supply chain warfare, where attacks on vendors like Cleo and CDK Global caused disruption far beyond the initial breach. While ransom payment amounts declined, the volume and collateral impact of attacks continued to grow.
To help organizations predict and prioritize risk, Black Kite’s Ransomware Susceptibility Index® (RSI™) remained a critical signal. Among companies with RSI above 0.8, 46% were ultimately attacked. Most showed rising RSI trends well before the breach.
Even as ransomware grows more chaotic, intelligence-driven defense, proactive vendor monitoring, and early warning signals like RSI give organizations a fighting chance.
Key Findings
publicly disclosed ransomware victims, up 24% year over year
active ransomware groups, including 52 new entrants
SMBs ($4M-$8M) were the most frequently targeted
Ransomware responsible for 67% of known third-party breaches
46% of companies with RSI > 0.8 experienced ransomware attacks
Ransom payment values declined
but overall impact widened
Major law enforcement operations
but overall impact widened
Regulatory enforcement lags
behind incident disclosures
Key Takeaway
The ransomware threat hasn’t disappeared—it has fractured and multiplied. With more actors, less predictability, and deeper entanglement in supply chains, organizations must shift from reactive defenses to proactive intelligence and third-party monitoring. As the battlefield changes, so must the strategy.
TABLE OF CONTENTS
01 | INTRODUCTION
How the past year changed the ransomware landscape.
02 | ATTACK DATA
Trends in victim numbers, geographic distribution, and industry impact.
03 | SUPPLY CHAIN IMPACT
Ransomware's increasing focus on third-party vendors with case studies.
04 | CLOP'S CLEO CAMPAIGN
Spotlight on an attack large in scope, but quiet in impact.
05 | AVOIDING RANSOMWARE
How to pinpoint ransomware risk with third-party risk intelligence.
06 | LOCKBIT & ALPHV
The collapse of major groups and the resulting power struggle.
07 | TOP GROUPS
Profiles of the most active and emerging ransomware groups.
08 | LEGAL RESPONSE
Legal and operational efforts against ransomware.
09 | AI IN RANSOMWARE
How artificial intelligence is impacting attack methods.
10 | NEXT STEPS
Future trends in ransomware and recommendations for defenders.
11 | APPENDIX
Report Methodology