Ransomware incidents rose in 2025 as gangs reemerged despite takedowns

TL;DR

A new Emsisoft review shows ransomware activity increased in 2025, with trackers logging over 8,000 claimed victims and a jump in the number of active gangs. Law‑enforcement takedowns hit infrastructure but did not stop attackers, who often rebrand or join other operations.

What happened

Emsisoft’s 2025 State of Ransomware in the US report found that ransomware continued to escalate through last year. Observers monitoring dark‑web leak and extortion pages recorded more than 8,000 claimed victims, a rise of over 50% compared with 2023; those counts reflect only incidents posted publicly by attackers. At the same time, the landscape grew more fragmented: the tally of active ransomware crews moved from a few dozen in 2023 to well into the three figures by the end of 2025. High‑profile law‑enforcement actions—such as the global takedown of the BlackSuit infrastructure in August—disrupted specific operations, but analysts say removing servers and sites rarely eliminates the people involved. Many groups now operate as smaller, often short‑lived brands, with affiliates drifting between operations and resuming activity under new names. Commonly reported ransomware names on leak sites last year included Qilin, Akira, Cl0p and Play, though some gangs are more aggressive about posting victims than others.

Why it matters

• Public leak counts understate total harm because many victims pay, recover privately, or never appear on extortion pages.
• A larger, more fragmented ransomware ecosystem makes attribution and long‑term disruption harder for law enforcement.
• Shift toward social‑engineering vectors (phishing, stolen credentials) reduces reliance on software bugs and exposed services, changing defenders’ priorities.
• Takedowns that remove infrastructure may be temporary wins if the human operators can rebrand or join other crews.

Key facts

• Trackers of extortion and leak pages logged more than 8,000 claimed victims worldwide in 2025.
• That figure represents an increase of over 50% compared with 2023, per Emsisoft’s report.
• The number of active ransomware crews rose from a few dozen in 2023 to well into the three figures by the end of 2025.
• Law‑enforcement actions disrupted criminal infrastructure—for example, a global takedown of BlackSuit in August 2025—but did not eliminate offender activity.
• Ransomware leak monitors cited include Ransomware.live and RansomLook.io; counts only include cases attackers chose to post.
• Several brands continued to appear frequently on leak sites, including Qilin, Akira, Cl0p and Play.
• Attackers increasingly rely on phishing, stolen credentials and social engineering to gain initial access, alongside traditional bugs and exposed services.
• Affiliates often disappear and reappear under different names or move between operations, sustaining the overall level of attacks.

What to watch next

• Whether the growing number of smaller crews stabilizes into new major players or continues as high churn among affiliates.
• Trends in the use and success of social engineering and credential theft as primary initial access methods.
• Not confirmed in the source: long‑term impact of takedowns on reducing total victim counts versus merely changing brand names and infrastructure.

Quick glossary

• Ransomware: Malicious software that encrypts or steals data and demands payment for its return or to avoid public exposure.
• Affiliate: An individual or subgroup that partners with a ransomware operation to carry out intrusions or extortion in exchange for a share of proceeds.
• Leak site (extortion page): A web location on the dark web or public internet where attackers publish victim lists, stolen data, or extortion demands.
• Phishing: A social‑engineering technique where attackers trick victims into revealing credentials or installing malware, often via deceptive emails or messages.
• Takedown: A law‑enforcement or coordinated action to seize or disable criminal infrastructure such as servers, domains, or communication channels used by attackers.

Reader FAQ

How many ransomware victims were recorded in 2025?
Trackers logged more than 8,000 claimed victims worldwide in 2025, according to Emsisoft; this figure only counts cases posted by attackers.

Did law enforcement succeed in stopping ransomware gangs?
Law‑enforcement actions disrupted infrastructure and removed specific brands, but perpetrators often resurfaced under new names or joined other groups, so attacks continued.

What attack methods became more common in 2025?
Emsisoft reported a shift toward social‑engineering approaches—phishing, stolen logins and credential misuse—though bugs and exposed services still played a role.

Are the published victim counts a full picture of ransomware harm?
No. Many victims may have paid, recovered, or chosen not to be listed, so public leak counts underrepresent total incidents.

Which countries or sectors were targeted most heavily in 2025?
not confirmed in the source

CYBER-CRIME Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Cop wins hit crime infrastructure, not the people behind it Carly Page Thu 8 Jan 2026 // 14:47 UTC If 2025…

Sources

• Ransomware attacks kept climbing in 2025 as gangs refused to stay dead
• Crackdowns and takedowns: Disrupting ransomware in 2025
• Ransomware gang takedowns causing explosion of new, …
• Will Law Enforcement success against ransomware …

Related posts

• FAA proposes costly radio-altimeter retrofits after Upper C‑band spectrum sale
• CISA Flags HPE OneView Critical Flaw and 15-Year-Old PowerPoint Bug
• America’s new energy imperialism extends beyond oil to strategic resources