The Business of Ransomware
Booming, Fragmenting, Evolving
Beyond the Headlines
The Real Growth Story of Ransomware
Ransomware is no longer a series of isolated attacks—it is a sustained, system-wide threat. In the twelve months covered by this report, the number of publicly disclosed ransomware victims climbed to 6,046, marking a 24% year-over-year increase. This follows an even steeper rise in the previous period, when the number surged by 81%, from 2,708 to 4,893. Together, this amounts to a 123% increase over two years.
Ransomware Victim Growth (2023–2025)
This chart shows the number of victims announced by ransomware groups and the alarming year-over-year increase.
While some industry reports point to declining ransom payments and use that to suggest diminishing risk, the data tells a different story. The number of victims continues to rise. More groups are operating. And the damage is no longer measured in payments alone. The operational disruption caused by these attacks—especially in the context of supply chains—is growing more severe.
Incidents involving Change Healthcare, Blue Yonder, and CDK Global made clear that ransomware’s impact is no longer contained within the four walls of the initially affected organization. When threat actors compromise a widely used vendor, the effects ripple outward, paralyzing downstream businesses in multiple sectors. In this way, ransomware is increasingly a supply chain problem, not just a cybersecurity one.
This year’s growth in victim count signals more than just a surge in activity—it reflects a deeper shift in how ransomware groups operate and who they target. With newer, less experienced groups flooding the ecosystem, small and mid-sized vendors have become popular entry points. These are companies that may not make headlines when attacked, but they often sit at critical intersections of industry workflows. Disrupting them means disrupting everything they connect to.
In the sections that follow, we explore how these numbers evolved over time, which sectors were hit hardest, and how the ransomware ecosystem is shifting in both structure and intent.
We'll look at:
1. Peaks and Patterns: Ransomware Activity by Month
Ransomware activity in this reporting period was not only elevated—it was persistent. Monthly victim disclosures fluctuated throughout the year but remained consistently high, with only two months seeing a drop below 400 incidents. The most active period was February 2025, which saw a staggering 817 victims, largely driven by Clop’s mass exploitation of Cleo vulnerabilities.
Despite occasional dips, each quarter surpassed the previous year’s equivalent, contributing to the overall 24% rise in victim count. The trend line reflects a maturing but fragmented ecosystem—one where smaller groups launch opportunistic campaigns, and larger ones drive major surges through mass exploitation events or strategic timing.
Monthly Ransomware Victim Disclosures by Group
(April 2024-March 2025)
What stands out even more than the raw victim numbers is the expansion in the number of active groups. Over the past two years, the ransomware landscape has nearly doubled in operator count. In April 2023, just 61 groups had published at least one victim in the past year. By April 2024, that number reached 84. And by the end of this reporting period, it hit 96.
Active group:
A ransomware group published at least one victim in their darkweb blog in the previous 12 months.
This growth points to a key shift: the barriers to entry have lowered, allowing less sophisticated but still effective actors to enter the field. Many of these groups reuse leaked tools, copy existing ransomware playbooks, or even brand-hop between campaigns.
Number of Active Ransomware Groups
(12-Month Rolling Window)
Yet, their collective activity keeps the pressure on defenders and expands the surface area of risk.
The spikes we observe are not just statistical noise—they map directly to specific threat actor behavior. The February surge aligns with Clop’s delayed and ultimately chaotic Cleo campaign. Meanwhile, groups like RansomHub, Play, and Akira maintained steady output, creating a rising floor of monthly disclosures.
Ransomware Cybercrime Ecosystem:
Number of Victims Published
This sustained activity reinforces a key trend: ransomware is no longer a seasonal or opportunistic threat. It is an always-on business model, shaped by automation, vulnerability exploitation, and low entry costs. The rise in group count is not just a signal of scale—but of strategic diversification across the ransomware economy.
2. Global Pressure Points: Geographic Distribution of Ransomware Victims
The United States continues to be ransomware’s most targeted geography—by a wide margin. This year, 3,141 U.S.-based organizations were publicly named as victims, up from 2,293 the year before. That’s a 37% increase year over year, and it accounts for 54% of all known global ransomware disclosures.
Ransomware Victim Distribution by Country
(April 2024-March 2025)
While the U.S. remains ransomware’s ground zero, several other regions experienced meaningful shifts. Countries with the sharpest increases include:
India
growing from 51 to 133 victims
Brazil
growing from 72 to 139
Canada
growing from 216 to 318
These changes reflect both expanded threat actor reach and the global exposure of these countries’ vendors and subsidiaries.
The top five most targeted countries this year:
United States
Canada
United Kingdom
Germany
Italy
Interestingly, some countries saw steep drops in victim count. Russia, for example, dropped from 70 victims last year to just 2 this year. This sharp decline is largely attributable to Malas, a politically motivated ransomware group that briefly emerged and disappeared after targeting around 70 Russian companies in a single month in 2023. With Malas gone, the data for Russia returned to baseline.
What’s clear is that ransomware’s footprint is expanding, not shifting. The number of countries with at least one publicly named victim rose from 112 last year to 134 this year. While this might suggest growing strategic reach, part of the spread reflects the amateurship of newer groups. Unlike more seasoned actors—who often rely on insider data or carefully curated victim lists—many of the newer entrants appear to operate blindly, casting wide nets and testing the waters. This explains why we see one or two victims in countries that typically fall outside the ransomware crosshairs.
At the same time, deeper targeting of small vendors and supply chain intermediaries continues. And while the country of headquarters may appear in breach disclosures, the real vulnerability lies in the digital interdependence across borders. Campaigns like Clop’s Cleo exploitation showed that ransomware damage radiates far beyond a single geography—and often far beyond the first name that gets published.
3. Hit Where It Hurts: Sectoral Breakdown and Industry Impact
Ransomware actors didn’t just go after large targets—they went after strategic ones. For the second consecutive year, the top three most targeted industries were:
Manufacturing
Professional, Scientific, and Technical Services
Healthcare and Social Assistance
These classifications are based on NAICS codes, ensuring consistency with prior reporting periods. While the rankings remained unchanged from last year, the absolute number of victims increased in all three categories, and their internal dynamics shifted in telling ways.
Ransomware Victims by Industry
(April 2024-March 2025)
Rank Change of Ransomware Victims by Industry
Rising Heat: Percentage Growth in Select Sectors
Looking beyond raw totals, certain industries experienced disproportionate growth in victim counts compared to the previous year. According to the data, the biggest year-over-year increases were seen in:
Wholesale Trade
Construction
Healthcare and Social Assistance
Year-over-Year Change in Ransomware Victim Volume by Industry
However, some of these figures are skewed by Clop’s mass exploitation of Cleo vulnerabilities. To account for this, we generated an adjusted chart excluding Cleo victims—revealing that Healthcare still ranks second in growth even without Clop’s outlier event.
Adjusted YoY Change by Industry
(Excluding Clop's Cleo Campaign)
Healthcare’s Upward Trend: A Warning Signal
One of the most notable shifts this year was the steady quarterly rise in healthcare targeting, which began in Q4 2023 and held firm through Q1 2025. In previous years, healthcare often hovered around fifth or sixth place. This year, it locked into third and stayed there.
This sustained rise aligns with insights from our standalone 2025 report, “Healthcare Under Ransomware Attack: Why Healthcare Is Now the 3rd Most Targeted Industry in the Ransomware Cybercrime Ecosystem.”
As noted in that analysis, the healthcare ecosystem’s complexity, legacy infrastructure, and urgency of services make it an increasingly attractive—and vulnerable—target.
- Notably, offices of physicians and health practitioners overtook hospitals in ransomware victim counts this year.
- Smaller practices often lack dedicated security teams, but still handle sensitive patient data—making them low-hanging fruit with high extortion potential.
Rank of Most Targeted Industries by Ransomware Groups
Healthcare: Ransomware Attacks by Subindustry
More insights are available in the full healthcare report.
🔍 Subsector Spotlight
Professional, Scientific, and Technical Services
Within this diverse category, two subindustries continued to dominate:
- Computer Systems Design and Related Services
- Legal Services
Last year, legal services held the top spot. This year, the two swapped positions, though the margin remains narrow. Both subindustries house high-value data and complex confidentiality chains, making them high-leverage ransomware targets.
Professional, Scientific, and Technical Services: Ransomware Attacks by Subindustry
Construction
Ransomware in the construction sector overwhelmingly affected specialty trade contractors and building construction firms. These businesses often rely on decentralized IT, subcontractor-heavy ecosystems, and urgent project timelines—conditions that favor threat actors seeking quick payouts. Additionally, contractors have a wealth of client relationships, which amplifies their vulnerability when compromised and places them in a significantly challenging position.
4. The SMB Squeeze: Ransomware Shifts Downmarket
Ransomware groups are no longer just targeting “big game.” While headlines continue to spotlight attacks on large enterprises, the data tells a different story: small and mid-sized businesses (SMBs) have become the core targets.
Ransomware Victims by Revenue Tier (Full Spectrum)
This year, only 11% of the known ransomware victims had an annual revenue over $100 million—a notable drop from 26% the previous year. For companies with revenue over $1 billion, the decline is just as sharp: from 8% in 2024 to 3.2% in 2025.
Breakdown of Ransomware Victims with Revenue Under $20M
Breakdown of Ransomware Victims with Revenue Over $100M
At the other end of the spectrum, businesses earning under $20 million per year accounted for the largest share of victims, with a clear concentration in the $4M to $6M range. This lower middle tier appears to be the new ransomware “sweet spot.”
The reasons behind this shift are multifaceted:
SMBs are easier targets.
They’re often under-resourced, understaffed, and underprepared.
New groups lack infrastructure.
Many emerging ransomware operators simply don’t have the technical or logistical capacity to compromise well-defended enterprises.
Big targets bring big heat.
Law enforcement actions against prominent groups like REvil, DarkSide, AlphV (aka Black Cat), and LockBit served as cautionary tales. The cost of attacking a Fortune 500 company may now outweigh the benefit.
Security investments are working.
Large enterprises have steadily increased cybersecurity budgets and hardened their environments—making them not only tougher, but also riskier.
Quiet payouts, less drama.
SMBs are more likely to pay something quickly and quietly, without triggering public or regulatory alarms.
From an economic lens, ransomware actors are becoming more pragmatic. Many are choosing quantity over notoriety, volume over visibility. The result: a scalable extortion model focused on hundreds of mid-sized businesses instead of a few big logos.
This strategy also aligns with a broader pattern: avoiding targets that escalate consequences. Unless they’re making a PR move or signaling dominance, most groups now steer clear of the giants. It’s a survival tactic—and a business model.
5. Who Gets Hit Depends on What They Earn
Not all industries are targeted equally across the revenue spectrum. As ransomware operators shift their focus downmarket, we observe a corresponding change in which sectors are most frequently victimized at each company size tier.
Among companies earning below $20M annually, the most targeted industry is Professional, Scientific, and Technical Services—accounting for almost a quarter (23.3%) of all victims in this range. This group includes legal services and computer systems design firms, both of which frequently handle sensitive data, intellectual property, or third-party integrations that can be used for further pivoting.
Top Targeted Industries for Companies with <$20M Annual Revenue
As company revenue increases, manufacturing steadily climbs the ranks. For organizations earning between $100M and $300M, manufacturing becomes the top industry, representing 30% of ransomware victims in that tier.
Top Targeted Industries for Companies with $100M–$300M Annual Revenue
And for enterprises with more than $1 billion in revenue, manufacturing dominates—comprising a staggering 38.9% of ransomware victims. These companies tend to have complex operational technology (OT), global exposure, and intricate digital footprints—making them attractive, high-stakes targets when groups are willing to take the risk.
Top Targeted Industries for Companies with >$1B Annual Revenue
The data underscores an important trend: industry targeting is increasingly shaped by company size. Smaller organizations in service-heavy verticals are picked off quietly and efficiently. Meanwhile, manufacturing remains ransomware’s favorite high-value target, but only when the attackers have the resources, infrastructure, and confidence to go after large, hardened enterprises.
That targeting is not accidental. Manufacturing underwent rapid digital transformation post-COVID, but its cybersecurity maturity lagged behind. As companies embraced automation, IoT, and interconnected supply chains, their attack surfaces expanded significantly. Yet for many, cyber risk still doesn’t rank among their top business risks—creating a vulnerability gap that ransomware actors continue to exploit.
This duality shows how ransomware is not one-size-fits-all. It’s adaptive, resource-aware, and tailored to attacker capability and risk tolerance
6. Less Money, More Mayhem: The Shifting Economics of Ransomware
In 2024, ransomware payments declined—but that doesn’t mean the threat did.
According to multiple industry sources, average ransom payments fell by as much as 35%, and fewer victims are paying. Coveware reports that just 25% of organizations paid a ransom, and among those hit with data exfiltration-only attacks, 41% paid—still far from a majority. Chainalysis, Socket, and others have echoed the trend: fewer dollars are changing hands, and when they do, it's often under more constrained negotiations.
Data points:
Average ransom demand in 2024
Million
Median ransom payment
Million
(up from $400K in 2023)
Highest known demand
Million
(up from $400K in 2023)
Median payment (Q3)
(down 45% from prior quarter)
So what’s behind the numbers?
The answer is simple: the groups have changed.
After the takedowns of LockBit and AlphV, no single group has emerged to claim the same dominance. In their place, we see smaller, less sophisticated operators that often lack the infrastructure to run complex extortion operations. Without the polished negotiation portals and “customer service” tactics of legacy players, these groups tend to skip the negotiation phase entirely—demanding what they can and hoping to get anything at all.
With one shot at extortion, most settle on lower demands upfront.
No panel, no support, no second email. Just a demand and a clock.
At the same time, organizations have become more resilient. Stronger backups, more mature incident response, and greater legal and reputational risk awareness have made it easier for victims to say no. In regulated industries, payment refusal is increasingly the default—not the exception.
This change in the economics of ransomware doesn’t signal a dying threat. It signals a more chaotic one—one where actors are less predictable, campaigns are less coordinated, and impact is measured in disruption, not just dollars.
7. Double Trouble: When Ransomware Strikes the Same Victim Twice
The ransomware battlefield is becoming increasingly congested — and sometimes, it’s the same victim getting caught in multiple crossfires. While the average organization dreads a single ransomware attack, some faced two separate attacks by different ransomware groups within a relatively short time frame.
This troubling trend has two major explanations:
1. Affiliate Overlap Across Ransomware-as-a-Service (RaaS) Operations: Many RaaS groups rely on affiliates to carry out attacks. These affiliates frequently move from one group to another, bringing their victim lists, tools, and tactics with them. If an affiliate switches allegiances or decides to monetize a target again, they might hit the same organization using a different ransomware strain. In some cases, both groups end up publicly listing the same victim — as captured in the Sankey diagram below.
Ransomware Group Transitions Between Consecutive Attacks
2. “Recycled” Victims on Public Leak Sites: Public disclosures are double-edged swords. When one ransomware group publishes a victim’s name, it can inadvertently put a target on their back. Other groups scanning leak sites may see that the victim paid once or otherwise appears vulnerable and launch a follow-up attack. Sometimes, the second attack follows just days after the first. Other times, it happens months later, giving the false impression that the danger has passed.
The data reveals a chilling reality:
In 14 cases, the second attack occurred within a week.
In 32 cases, it came within a month.
And in more than 60 cases, the follow-up happened after six months, underscoring that once targeted, organizations remain on threat actor radars for extended periods.
Time Distribution Between Two Ransomware Attacks on the Same Victim
This phenomenon is not just a fluke — it reflects how interconnected, opportunistic, and reputation-driven the ransomware ecosystem has become. Whether it’s due to affiliate churn or data visibility from leak sites, victims are no longer “one and done.” They’re being treated as repeatable revenue streams.
Organizations need to treat a ransomware incident not as an endpoint, but as the beginning of long-term vulnerability unless meaningful remediations are made immediately. A single compromise is now a beacon — a warning that more attacks may be on the horizon.