Data from the FBI’s 2025 Internet Crime Report showed that cyber-enabled crime drained nearly US$21 billion from Americans, with cryptocurrency and AI-linked scams driving the highest losses. This comes as adversaries grow more sophisticated and increasingly callous each year, targeting power grids, disrupting hospitals, and amplifying geopolitical tensions. State sponsored cyber actors use all elements of national power to target the U.S. and its critical infrastructure, while skilled cybercriminals exploit new and longstanding vulnerabilities to steal money and hold data for ransom.
The Internet Crime Complaint Center (IC3) recorded 1,008,597 complaints, up from 859,532 in 2024, as phishing, spoofing, extortion, and investment scams remained the most reported threats, while losses among Americans over 60 surged to $7.7 billion, a 37% increase year on year. Cyber-enabled fraud alone accounted for roughly 453,000 complaints and more than $17.7 billion in losses, with investment scams responsible for nearly 49% of the total, and cryptocurrency-related cases proving the most costly at over $11 billion across 181,565 complaints.
“Ransomware is among the highest reported cyber threats targeting critical infrastructure organizations. Ransomware is a type of malicious software designed to block access to a computer system until money is paid,” FBI’s 2025 Internet Crime Report detailed. “In 2025, the IC3 received more than 3,600 complaints reporting ransomware, with losses exceeding $32 million. In 2025, the following ransomware variants were among those most frequently reported variants to the FBI via IC3, accounting for 56.8% of the total number of ransomware incidents reported.”
The 2025 loss amount reported to IC3 attributed to these variants is over $16 million, almost half (49.8%) of the total losses reported. Regarding ransomware-adjusted losses, this number does not normally include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by an entity. In some cases, entities do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. Lastly, the number only represents what entities report to the FBI via IC3 and does not account for the entity directly reporting to FBI field offices.
The top 10 reported ransomware variants primarily impacted critical sectors including manufacturing, healthcare and public health, and government facilities. Leading strains such as Akira, Qilin, INC, Lynx, Sinobi, BianLian, Play, Ransomhub, LockBit, DragonForce, SAFEPAY, and Medusa continue to drive the bulk of incidents, with further technical details and mitigation guidance available through Joint Cyber Security Advisories.
Establishing and maintaining a strong foundation of industry best practices remains essential to limiting ransomware risk and reducing the attack surface. The FBI recommends maintaining secure off site or offline backups that are regularly tested, encrypted, and immutable, while ensuring full coverage of organizational data. Default passwords and credentials should be eliminated, with all accounts aligned to recognized standards, and unnecessary protocols disabled. Administrative access must be tightly controlled using least privilege principles, supported by multi factor authentication across all critical services, including webmail and remote access systems.
Organizations are advised to strengthen visibility and detection capabilities by logging network traffic and deploying endpoint detection and response tools to identify lateral movement. Network segmentation should be implemented to contain potential breaches and restrict attacker movement across systems. Keeping operating systems, software, and firmware fully updated remains one of the most effective defenses, particularly by prioritizing patching of known exploited vulnerabilities in internet facing environments. In the event of a ransomware incident or cybercrime, reporting through the IC3 helps support broader threat intelligence and law enforcement response.
The FBI reported that ransomware incidents significantly outpace data breaches across most critical infrastructure sectors, with the highest impact seen in healthcare and public health, which recorded 460 ransomware incidents compared to 182 data breaches. Critical manufacturing also experienced a high volume, with 355 ransomware cases versus 52 data breaches, highlighting a strong skew toward disruptive attacks.
Financial services and government facilities follow, with ransomware incidents at 258 and 233 respectively, compared to 189 and 174 data breaches. Information technology and commercial facilities also show elevated activity, with ransomware incidents at 232 and 164, exceeding their respective data breach counts of 199 and 84.
Mid-tier sectors such as transportation, energy, and communications report moderate ransomware activity, with 80, 54, and 51 incidents respectively, while data breaches in these sectors remain lower at 82, 31, and 28. In contrast, sectors like dams and nuclear report minimal activity, with only one recorded incident each. Overall, the data indicates that ransomware is the dominant threat across critical infrastructure, particularly in healthcare, manufacturing, and government-related sectors, where the potential for operational disruption is highest.
Transaction information provided in IC3 complaints helps the FBI understand how victims are losing funds to fraud and assists the IC3 Recovery Asset Team (RAT) Financial Fraud Kill Chain (FFKC) process when complaints are filed as quickly as possible. These charts identify the most frequent ways complainants reported financial losses from cyber-enabled fraud.
In 2025, the RAT initiated 655 FFKC incidents reported by businesses and organizations belonging to one of the 16 critical infrastructure sectors. Of the $261,451,001 in reported losses, the RAT was able to freeze $146,561,094, for an overall success rate of 56%.
The FBI reported that the success rate of FFKC actions varies widely across critical infrastructure sectors, with the defense industrial base recording the highest success rate at 100%. The chemical sector also demonstrates a strong outcome at 95%, followed by water and waste systems at 92%, indicating relatively high effectiveness in these areas. Commercial facilities report a success rate of 67%, while the energy sector stands at 65%. Healthcare records a 60% success rate, and government facilities reach 55%, reflecting moderate levels of effectiveness across these sectors.
Financial services show a success rate of 53%, while transportation is slightly lower at 51%. Communications and food and agriculture report similar performance levels at 47% and 48% respectively, indicating more limited success in these domains. The lowest success rates are observed in critical manufacturing at 36%, emergency services at 33%, and IT at 31%, highlighting persistent challenges in these sectors compared to others.
The report also mentioned that the IC3 enhances and supports intelligence analysis, while triaging victim reporting in support of ongoing investigations. In 2025, BlackSuit (Royal) ransomware attacks targeted critical infrastructure sectors including, but not limited to, critical manufacturing, government facilities, healthcare and public health, and commercial facilities. IC3 provided information regarding numerous victims of the BlackSuit (Royal) ransomware group to the field for victim notification and assistance. Last August, the Department of Justice highlighted coordinated actions taken to disrupt this group which involved multiple domestic and foreign law enforcement partner participation.
Last month, the Office of the Director of National Intelligence’s Annual Threat Assessment 2026 identified that cyberspace is now a primary arena of conflict, with state and non-state actors actively targeting U.S. interests. Foreign cyber operations pose a direct and persistent threat to government and private-sector networks, as adversaries blend espionage, disruption, and influence into coordinated campaigns. Hacker groups linked to China, Russia, Iran, and North Korea, alongside ransomware groups, continue to threaten critical infrastructure at scale. These operations are deliberate and sustained, aimed at embedding access within key systems to enable disruption during periods of conflict or crisis.
