Ransomware attacks kept climbing in 2025 as gangs refused to stay dead
(2026/01/08)
- Reference: 1767883645
- News link: https://www.theregister.co.uk/2026/01/08/ransomware_2025_emsisoft/
- Source link:
If 2025 was meant to be the year ransomware started dying, nobody appears to have told the attackers.
In its [1]2025 State of Ransomware in the US report , security firm Emsisoft says ransomware attacks continued to climb last year, with more victims appearing on extortion sites and more groups operating than ever before. The figures climbed even as police and prosecutors notched up a string of wins against ransomware groups, [2]such as the global takedown of BlackSuit in August .
Trackers keeping an eye on ransomware leak sites logged more than 8,000 claimed victims worldwide in 2025, a rise of more than 50 percent compared to 2023. The counts come from outfits watching dark web shaming pages such as Ransomware.live and RansomLook.io, so they only include cases where crooks decided to post receipts. Plenty of victims, Emsisoft says, will have paid up, recovered, or kept quiet without ever appearing on a leak site.
[3]
Emsisoft's numbers also suggest there are more gangs in the game than there were a couple of years ago, with the count of active ransomware crews climbing from a few dozen in 2023 to well into three figures by the end of 2025. Instead of a handful of mega-brands dominating, the scene now looks messier, with lots of smaller outfits popping up, disappearing, and reappearing under new names as affiliates drift between operations.
[4]
[5]
That could explain why all the splashy takedowns haven't translated into fewer ransomware attacks. While pulling the plug on a gang's infrastructure might kill one brand, it rarely kills the people behind it, who tend to resurface quickly under a new name or latch onto the next crew looking for experienced hands.
[6]Are criminals vibe coding malware? All signs point to yes
[7]IBM's AI agent Bob easily duped to run malware, researchers show
[8]One criminal, 50 hacked organizations, and all because MFA wasn't turned on
[9]Cybercrook claims to be selling infrastructure info about three major US utilities
Even so, the same handful of ransomware brands kept turning up again and again on leak sites last year, with names like Qilin, Akira, Cl0p, and Play racking up large victim counts. Emsisoft warns against treating those tallies like a proper leaderboard, though, since some gangs are far louder than others when it comes to naming and shaming victims.
The report also points to a change in how many ransomware break-ins actually start. Bugs and exposed services still play a role, but gangs are leaning harder on old-fashioned tricks such as phishing, stolen logins, and social engineering to get a foot in the door, with crews that include [10]Scattered Lapsus$ Hunters favoring approaches that go straight around perimeter defenses rather than through them.
Emsisoft threat intelligence analyst Luke Connolly says the churn, along with this change in tactics, is what keeps ransomware ticking over: affiliates move on, names disappear, and the same attacks keep happening under different banners.
[11]
"As long as affiliates remain plentiful and social engineering remains effective, victim counts are likely to continue rising," he said. ®
Get our [12]Tech Resources
[1] https://www.emsisoft.com/en/blog/47215/the-state-of-ransomware-in-the-u-s-report-and-statistics-2025/
[2] https://www.theregister.com/2025/08/12/blacksuit_ransomware_crew_loses_servers/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aV_iuzTVGpasd3I8RggCCQAAAtM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV_iuzTVGpasd3I8RggCCQAAAtM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV_iuzTVGpasd3I8RggCCQAAAtM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/01/08/criminals_vibe_coding_malware/
[7] https://www.theregister.com/2026/01/07/ibm_bob_vulnerability/
[8] https://www.theregister.com/2026/01/06/50_global_orgs_hacked/
[9] https://www.theregister.com/2026/01/02/critical_utility_files_for_sale/
[10] https://www.theregister.com/2025/11/27/scattered_lapsus_hunters_zendesk/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV_iuzTVGpasd3I8RggCCQAAAtM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
In its [1]2025 State of Ransomware in the US report , security firm Emsisoft says ransomware attacks continued to climb last year, with more victims appearing on extortion sites and more groups operating than ever before. The figures climbed even as police and prosecutors notched up a string of wins against ransomware groups, [2]such as the global takedown of BlackSuit in August .
Trackers keeping an eye on ransomware leak sites logged more than 8,000 claimed victims worldwide in 2025, a rise of more than 50 percent compared to 2023. The counts come from outfits watching dark web shaming pages such as Ransomware.live and RansomLook.io, so they only include cases where crooks decided to post receipts. Plenty of victims, Emsisoft says, will have paid up, recovered, or kept quiet without ever appearing on a leak site.
[3]
Emsisoft's numbers also suggest there are more gangs in the game than there were a couple of years ago, with the count of active ransomware crews climbing from a few dozen in 2023 to well into three figures by the end of 2025. Instead of a handful of mega-brands dominating, the scene now looks messier, with lots of smaller outfits popping up, disappearing, and reappearing under new names as affiliates drift between operations.
[4]
[5]
That could explain why all the splashy takedowns haven't translated into fewer ransomware attacks. While pulling the plug on a gang's infrastructure might kill one brand, it rarely kills the people behind it, who tend to resurface quickly under a new name or latch onto the next crew looking for experienced hands.
[6]Are criminals vibe coding malware? All signs point to yes
[7]IBM's AI agent Bob easily duped to run malware, researchers show
[8]One criminal, 50 hacked organizations, and all because MFA wasn't turned on
[9]Cybercrook claims to be selling infrastructure info about three major US utilities
Even so, the same handful of ransomware brands kept turning up again and again on leak sites last year, with names like Qilin, Akira, Cl0p, and Play racking up large victim counts. Emsisoft warns against treating those tallies like a proper leaderboard, though, since some gangs are far louder than others when it comes to naming and shaming victims.
The report also points to a change in how many ransomware break-ins actually start. Bugs and exposed services still play a role, but gangs are leaning harder on old-fashioned tricks such as phishing, stolen logins, and social engineering to get a foot in the door, with crews that include [10]Scattered Lapsus$ Hunters favoring approaches that go straight around perimeter defenses rather than through them.
Emsisoft threat intelligence analyst Luke Connolly says the churn, along with this change in tactics, is what keeps ransomware ticking over: affiliates move on, names disappear, and the same attacks keep happening under different banners.
[11]
"As long as affiliates remain plentiful and social engineering remains effective, victim counts are likely to continue rising," he said. ®
Get our [12]Tech Resources
[1] https://www.emsisoft.com/en/blog/47215/the-state-of-ransomware-in-the-u-s-report-and-statistics-2025/
[2] https://www.theregister.com/2025/08/12/blacksuit_ransomware_crew_loses_servers/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aV_iuzTVGpasd3I8RggCCQAAAtM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV_iuzTVGpasd3I8RggCCQAAAtM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aV_iuzTVGpasd3I8RggCCQAAAtM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/01/08/criminals_vibe_coding_malware/
[7] https://www.theregister.com/2026/01/07/ibm_bob_vulnerability/
[8] https://www.theregister.com/2026/01/06/50_global_orgs_hacked/
[9] https://www.theregister.com/2026/01/02/critical_utility_files_for_sale/
[10] https://www.theregister.com/2025/11/27/scattered_lapsus_hunters_zendesk/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aV_iuzTVGpasd3I8RggCCQAAAtM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Solution is to make it illegal to pay ransomeware
Taliesinawen
The solution is to make it illegal to pay ransomware. And have the innovators invent a computer that can't be compromised by opening a malicious email attachment or clicking on a malicious web link.
Re: Solution is to make it illegal to pay ransomeware
VicMortimer
I came here to say exactly that.
As long as nobody goes to prison for paying ransom, this will continue. Lock up a few CEOs because their companies paid, and this will all stop.
Re: Solution is to make it illegal to pay ransomeware
Ian Johnston
The solution is to make it illegal to pay ransomware.
It's already illegal to implement it. Fat lot of good that does.
New attitudes and new legislation are needed.
Perhaps it is time to stop the processing of personal and other sensitive data on internet connected computers. That is, until the makers of IT systems actually start producing secure systems.
If system operators were required to pay realistic compensation (a few thousand Euros, say), to each victim of personal data "theft", things would very quickly take a turn for the better.