In 2025, research from Searchlight Cyber outlines a challenging cybersecurity landscape, with ransomware groups reaching high levels of activity. The analysis is based on dark web intelligence and examines trends in ransomware operations throughout the year.
Ransomware attacks increased in 2025, with 7,458 victims listed on dark web platforms. This represents a 30% rise compared with the previous year. Although victim numbers declined slightly in the second half of the year, the report notes a significant increase in active ransomware groups, reaching a peak of 93 during that period.
Overall, 124 active groups were recorded during the year, supported by 73 new entrants. The growth in group activity highlights ongoing expansion within the ransomware ecosystem and increased pressure on cybersecurity teams.
The Qilin group recorded a 420% increase in activity compared with the previous year and emerged as one of the most active groups in the second half of 2025.
The report also highlights the emergence of so-called “Supergroups,” where smaller threat actors collaborate to expand operational capacity. In addition, the integration of artificial intelligence has lowered barriers to entry, enabling greater automation of attacks and contributing to the evolving threat landscape.
Activity among the most prominent ransomware groups included:
Qilin — 697 victims
Akira — 384 victims
IncRansom — 213 victims
Sinobi — 180 victims
Play — 164 victims
These groups accounted for a significant portion of recorded incidents, with newer groups such as Sinobi leveraging ransomware-as-a-service models to scale operations.
The report concludes by emphasising the importance of proactive defensive measures to address ransomware risks. It also references vulnerabilities described as “Shadow Exposure” in third-party software, highlighting supply chain risks and the need for organisations to address exposure points alongside external threats.
