Ransomware keeps shifting into new territory, pulling in victims from sectors and regions that once saw fewer attacks. The latest Global Threat Briefing for H2 2025 from CyberCube shows incidents spreading in ways that make it harder for security leaders to predict where threats will rise next.
Researchers evaluated incident patterns, sector level exposure and signals drawn from threat actor behavior. Their aim was to map where ransomware is spreading, which organizations sit in higher risk clusters and how security posture shapes exposure.
Growth trends show ransomware moving into new regions
The report finds that ransomware has become a global issue with incidents growing in markets that historically saw lower volumes. Compound monthly growth rates highlight the fastest growing regions, although specific percentages are not provided for all areas. Threat groups continue to move toward regions with less mature defensive baselines or slower adoption of strong controls.
Some of this rise follows expansion by established groups. LockBit in particular remains active across many countries. The study links LockBit activity to elevated risk among public sector organizations in multiple regions, which becomes more evident in later sections of the report.
Sector comparison shows wide variation in defensive strength
Researchers compared industries by looking at how often negative cyber signals appear and how strong their observable security hygiene is. Some industries show stronger baselines and fewer concerning signals. Others show weaker controls and more signs of exposure.
The study notes that organizations in the same industry can perform very differently. Security posture varies widely, which means sector classification alone does not predict resilience. Negative cyber indicators such as open ports, outdated software and exposed remote services appear more often in some industries, and this trend aligns with higher ransomware activity.
Public sector risk stands out in multiple findings
Public sector organizations receive significant attention in the report. This segment includes state and local government offices along with a wide mix of administrative agencies. It covers a wide spectrum of maturity levels and often contains uneven security practices.
The data shows that 53 percent of state and local government offices worldwide fall into a high risk category for LockBit. This places them among the most exposed groups in the entire dataset. The report suggests that interest from threat actors remains strong in this segment and that many organizations continue to struggle with consistent control adoption.
Variation across these entities is notable. Some maintain strong security baselines, while others operate with weaker controls that leave them more exposed to intrusion attempts.
Risk clusters reveal where exposure and security intersect
The study groups public sector organizations into clusters based on exposure levels and strength of security posture. Approximately 16 percent show both high exposure and weak security. They sit at the highest concern level because their conditions mirror what threat actors tend to look for, including slow patching cycles and visible attack surfaces.
Another 19 percent show high exposure but stronger controls. They remain attractive targets because of their exposure, but their security posture reduces the chance that a successful intrusion attempt turns into a ransomware event.
The rest of the segment holds a mix of lower exposure profiles. The report highlights this group as an area where targeted improvements could have faster impact because the underlying risk is not as intense.
Signals that help forecast activity
The research stresses the importance of early indicators that point to shifts in threat behavior. These include rising negative cyber signals, changing exposure patterns and movement by threat groups into new regions or sectors. When these signals converge, they form a directional view of where attacks may rise in the coming months.
Forecasting these shifts requires ongoing monitoring and quick adjustment by defenders. Ransomware growth often mirrors gaps in patching, increased availability of attack surfaces and slower remediation of known weaknesses. The study links these signals to observed activity spikes across several industries.