Ransomware attacks continue to rise in 2025, with 6,330 cases recorded so far, underscoring escalating risks for small and medium-sized businesses
The latest data analyzed by NordStellar, a threat exposure management platform, reveals that the number of ransomware incidents in 2025 is continuing to grow. Between January and September 2025, 6,330 ransomware cases were exposed on the dark web, representing a 47% increase compared to the 4,293 cases recorded in the same period last year.
“So far this year’s results are highlighting a worrying trend — the number of ransomware cases continues to grow steadily,” says Vakaris Noreika, cybersecurity expert at NordStellar. “The majority of the growth we’re witnessing right now is most likely a direct result of the increase in ransomware-as-a-service (RaaS) that allows cybercriminals to scale their attacks and has lowered the entry barrier for bad actors. Another key factor is the significant increase in the number of active ransomware groups, which has reached an all-time high.”
Noreika explains that the number of active ransomware groups has been consistently increasing over the past five years. In September alone, NordStellar traced back the ransomware incidents to 66 different groups.
Prime targets in Q3 2025: The US, SMBs, and the manufacturing industry
In July-September 2025, 1,943 ransomware cases were exposed on the dark web, a 31% increase compared to the same period in 2024 (1,484 cases). US businesses were the most targeted, accounting for 54% of the 1,274 cases that could be traced to specific victim countries. Canada holds the second spot with 62 incidents, followed closely by Germany (60), the United Kingdom (54), and France (35).
“The findings mirror the results we have been seeing all year,” explains Noreika. “The US is home to numerous profitable public businesses, and this, coupled with strict regulations, makes them an attractive target for cybercriminals. Their potential for high profitability, combined with a higher likelihood of meeting ransomware demands to resolve incidents quickly, increases the chances of success for attackers.”
Ransomware data from July to September 2025 revealed that the manufacturing industry was the most affected by ransomware, with 245 cases, mirroring the results of the previous quarters. It was followed by professional, scientific, and technical services (107), information technology (103), construction (91), and financial services (69).
“Companies operating in the manufacturing industry experience high operational downtime costs, making them more inclined to give in to ransomware demands to resolve the incident as soon as possible. They also often rely on outdated or unpatched software and systems and are more likely to experience supply chain vulnerabilities due to reliance on third-party vendors, partners, and logistics providers,” says Noreika.
He explains that companies operating in the professional, scientific, and technical services industry often work with confidential customer data, intellectual property, and critical business tools, making them an attractive target for ransomware actors. According to Noreika, businesses in the information technology industry are targeted because they handle large volumes of valuable data and are key components of the supply chain. This means that attacking them can spread ransomware to multiple businesses simultaneously.
Small and medium-sized businesses (SMBs) were the most affected. The data revealed that organizations with up to 200 employees and revenues of up to $25 million experienced the most attacks.
“As in the first half of 2025, SMBs continue to remain the primary targets for ransomware. Ransomware actors usually perceive smaller businesses as lower-risk targets because they might lack a sophisticated IT infrastructure, operate on low cybersecurity budgets, and not have the means to investigate or report attacks to authorities,” says Noreika.
He adds that smaller revenue companies may also be more likely to meet attackers’ demands since the cost of downtime, data loss, or reputational damage from a full-blown ransomware attack could devastate the business financially. As a result, many of them could view paying the ransom as the only option, making them a higher success target for ransomware attackers.
Old players take the lead
The ransomware group Qilin was responsible for the most attacks in Q3 2025, with 241 incidents, and continues to hold the number one spot from the previous quarter. It’s followed by Akira (190), INC Ransom (146), Play (102), and Safepay (92).
“Qilin, Akira, and Play are more experienced players, active from 2022-2023, and are known for their double extortion models and large victim scope. They are also more likely to keep their operations in-house, without utilizing or offering RaaS, so as not to compromise their operations,” says Noreika. “Safepay is the youngest group, first detected in the fall of last year, but so far has been consistently among the top perpetrators this year. INC Ransom was first discovered in late 2023 and is generally lesser-known. However, this year, they have been quite consistent with their attacks as well.”
According to Noreika, ransomware groups are highly organized. He explains that business leaders are not always fully aware of the danger they pose — for example, that they often seek out top talent in cybersecurity or might even recruit insiders to carry out a targeted attack against an organization, making them a threat that companies cannot afford to underestimate.
Main mistakes that make a business more vulnerable to ransomware
Noreika explains that the first step in making a company ransomware-resistant is prevention. He highlights cybersecurity hygiene as the primary foundation.
“Most attacks happen due to user error. As a result, raising cybersecurity awareness and increasing training, as well as promoting good cybersecurity hygiene, is the basic first step,” says Noreika.
He continues by saying that employees who can recognize phishing scams, understand the importance of proper password management, and recognize the necessity and importance of utilizing tools like multi-factor authentication or a VPN are less likely to open the company’s network to cyber intruders.
“Another important factor is monitoring and addressing unknown cybersecurity gaps. With more businesses embracing hybrid or remote work models, introducing unmanaged devices and relying on third-party vendors, the attack surface is expanding, and any endpoint can be exploited,” says Noreika.
To stay ahead of attackers, he advises companies to monitor for external vulnerabilities before they are exploited, as well as any potential data leaks on the dark web, to minimize the possibility of a more sophisticated attack. Noreika emphasizes that recovery plans and backing up critical data are among the essential steps to reduce the impact of a potential ransomware incident.
Feature image credit.
