Research: Ransomware Attacks Spiked by 49% in the First Half of 2025
A startling 49% surge in ransomware attacks marked the first half of 2025, with cybercriminals increasingly targeting U.S. organizations and small to medium-sized businesses (SMBs). Our latest research reveals that between January and June 2025, ransomware groups exposed 4,198 cases on the dark web—a dramatic increase from the 2,809 cases recorded during the same period in 2024.
So, what forces are driving this alarming trend, who are the primary targets, and what can organizations do to defend themselves?Why the Sudden Increase? The Forces Driving the Ransomware Boom The profitability and effectiveness of ransomware have emboldened cybercriminals to intensify their efforts. Vakaris Noreika, a cybersecurity expert at NordStellar, identifies three key factors contributing to the growth:
- Ransomware-as-a-Service (RaaS): This business model lowers the barrier to entry for cybercrime. RaaS providers supply malicious software and infrastructure, allowing affiliates with little to no technical expertise to launch sophisticated attacks.
- Expanded Attack Surfaces: The shift to remote and hybrid work has increased the number of endpoints, home networks, and personal devices connecting to corporate systems. This creates new vulnerabilities and strains security teams trying to maintain comprehensive protection.
- Economic Uncertainty: Financial desperation often leads to a rise in illegal activities. Combined with the accessibility of RaaS, ransomware becomes an attractive option for illicit income, offering high potential rewards for relatively low effort.
The Prime Targets of Q2 2025 Our analysis of 1,758 ransomware incidents from April to June 2025 reveals clear patterns in targeting. The U.S. Remains in the Crosshairs Of the cases traced to a specific country, U.S. businesses were hit hardest, accounting for a staggering 49% of all attacks (596 incidents). Germany followed at a distant second with 84 cases, trailed by Canada (74) and the United Kingdom (40). The U.S. is a prime target due to its concentration of profitable businesses, which attackers believe are more likely to pay a ransom to avoid reputational damage and operational downtime. The Manufacturing Industry Under Siege The manufacturing sector was the most affected industry, with 229 recorded cases. It was followed by construction (97 cases) and information technology (88 cases). Manufacturing companies are often vulnerable because they struggle to centralize security across geographically dispersed locations and frequently rely on outdated, unpatched operational technology systems. SMBs: The Most Vulnerable Target Small to medium-sized businesses were the primary victims. Organizations with 51–200 employees and revenues between $5 million and $25 million experienced the most attacks.
Who Is Responsible for the Attacks? The ransomware landscape is dominated by a few highly active groups operating on a RaaS model.
- Qilin: This Russia-linked group was the most prolific, responsible for 214 incidents in Q2 2025.
- Safepay: A newer group first detected in late 2024, Safepay rapidly escalated its operations to claim the second spot with 201 incidents.
- Akira: This established ransomware group was a close third, with 200 incidents.
Building a Ransomware-Resistant Business As ransomware attacks persist, a proactive defense strategy is essential.
- Empower Your Employees: Your staff is the first line of defense. Implement continuous cybersecurity training focused on identifying phishing scams, using strong password management, and enabling multi-factor authentication.
- Implement a Layered Technology Defense: Deploy endpoint protection, continuously monitor your external attack surface for vulnerabilities, and scan the dark web for compromised credentials or leaked data related to your organization.
- Plan for Recovery: To minimize the impact of a potential attack, Noreika recommends that businesses “stay two steps ahead, implement recovery plans, and always back up critical data.” Regular, tested backups are the most effective way to recover from an attack without paying a ransom.
About the Methodology We continuously monitor over 200 dark web blogs operated by ransomware groups to collect data on victim organizations. Once a company is identified, we use publicly accessible business data sources to gather firmographic information, such as industry, size, and location. The total number of attacks is accurate, though figures in categorized breakdowns may be slightly higher due to a smaller sample size where full firmographic data was available.
About NordStellar
NordStellar is a threat exposure management platform that enables enterprises to detect and respond to network threats before they escalate. As a platform and API provider, NordStellar can provide insight into threat actors’ activities and their handling of compromised data. Designed by Nord Security, the company renowned for its globally acclaimed digital privacy tool NordVPN.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.