Ransomware attacks kept climbing through 2025, even as major criminal groups collapsed and reformed. A new study conducted by the Symantec and Carbon Black Threat Hunter Team shows that disruption inside the ransomware economy slowed activity only briefly, while extortion methods expanded and diversified.
Claimed ransomware attacks by actors operating data leak sites, 2022–2025 (Source: Symantec and Carbon Black)
Record activity despite major takedowns
Ransomware actors claimed 4,737 attacks in 2025, the highest annual total recorded in the dataset. Monthly activity rose steadily through the year, with one sharp dip in April after the sudden shutdown of RansomHub, which had been the most active operation at the time.
The pause did not last long. Former RansomHub affiliates shifted quickly to other groups, and attack volumes returned to earlier levels within weeks. August showed another decline, consistent with seasonal slowdowns observed in prior years.
New leaders replace fallen operations
Two dominant ransomware operations disappeared during the year. LockBit, tracked in the report as Syrphid, failed to recover after law enforcement actions in late 2024. RansomHub, also known as Greenbottle, shut down abruptly in April 2025.
Other groups gained ground as a result. Akira and Qilin each accounted for 16% of claimed attacks in 2025. Inc and Safepay followed at 6% each, while DragonForce emerged as a new entrant responsible for 5% of claims.
The reshuffling highlights how affiliates move fluidly between ransomware services. Access brokers, tooling, and payment structures continued to circulate among groups, which helped sustain overall activity levels.
Extortion expands beyond encryption
One of the most significant findings in the study involves extortion campaigns that do not rely on encryption. These attacks focus on stealing data and threatening to publish it, skipping the deployment of ransomware entirely.
Encryption based attacks remained just above 4,700 incidents annually. When data theft extortion is included, total extortion incidents reached 6,182 in 2025. That represents a 23% increase compared with 2024.
Snakefly, which runs the Cl0p ransomware operation, played a major role in this shift. These actors exploited vulnerabilities in widely used enterprise software to extract data at scale. Victims included large organizations in government and industry, with some campaigns affecting hundreds of companies through a single flaw.
Researchers linked several of these operations to shared tooling and leak infrastructure, suggesting coordination among loosely affiliated actors who specialize in data theft and public pressure.
“While attacks involving encrypting ransomware remain as prevalent as ever and still pose a threat, the advent of new types of encryptionless attacks adds another degree of risk, creating a wider extortion ecosystem of which ransomware may become just one component,” said the Symantec and Carbon Black Threat Hunter Team.
Social engineering as primary access path
The research documents a rise in attacks driven by social engineering, particularly against cloud platforms and identity systems. Groups associated with ShinyHunters and Scattered Spider used phone based impersonation, credential harvesting, and abuse of OAuth workflows to gain access to enterprise environments.
In several campaigns, attackers convinced employees to authorize malicious applications or share authentication codes under the guise of IT support. Once access was established, the actors exported large volumes of data and issued extortion demands.
These techniques reduced reliance on malware and complicated detection in environments with heavy legitimate cloud usage.
Ransomware activity tied to older espionage tooling
A newer ransomware strain tracked as Warlock drew attention due to its tooling and infrastructure. First observed in mid 2025, Warlock attacks exploited a zero day vulnerability in Microsoft SharePoint and used DLL sideloading for payload delivery.
Analysis linked Warlock to tooling previously associated with Chinese espionage activity, including signed drivers and custom command frameworks. Some ransomware payloads appeared to be modified versions of leaked LockBit code, combined with older malware components.
The study notes overlaps between ransomware activity and long running espionage campaigns, where ransomware deployment may serve operational or financial goals within broader intrusion efforts.
Shared techniques dominate attack chains
Researchers found that ransomware attack chains remained consistent. Actors relied on living off the land techniques, using built in administrative tools for discovery, lateral movement, and credential access.
PowerShell appeared most frequently, supported by remote management software, backup utilities, and credential dumping tools. Malware often appeared late in the intrusion, close to data theft or encryption stages.
These shared methods reduced the need for custom tooling and allowed attackers to adapt quickly when defenders blocked specific techniques.