First quarter of 2025 sets record for ransomware attacks and threat groups

A new report released today by cybersecurity services company GuidePoint Security LLC finds that ransomware hit a record high in the first quarter of 2025 as the number of victims surged to more than 2,000 and the landscape became increasingly fragmented with 70 active threat groups.

The finding comes from the GRIT 2025 Q1 Ransomware & Cyber Threat Report, which found that there were 2,063 ransomware victims in the quarter, up 102% from the same quarter of 2024. The quarterly number follows another report from S.C. Bitdefender SRL in March that found that February saw 962 ransomware attacks, the highest number of ransomware attacks recorded in a single month.

The rise in ransomware attacks has come at a time when the number of active ransomware and data extortion groups has reached a record high of 70, up from 60 in the fourth quarter of last year and 45 in the first quarter of 2024. The 55.5% year-over-year increase is said in the report to reflect a rapidly fragmenting threat landscape, with more distinct groups carrying out attacks than ever before.

The report interestingly notes the rise of what GuidePoint’s researchers call a “middle class” of ransomware operators that conduct steady campaigns at moderate volumes, such as Play, Lynx and Fog. The trend varies for previous years, where a handful of major players like LockBit or Alphv dominated the victim count.

Although smaller, less active ransomware players may not sound too bad, it’s not a positive development, as the report argues that the diversification of attackers makes the threat environment less centralized and more unpredictable.

The growth in active threat actor groups also suggests that the ransomware ecosystem has not yet peaked in terms of actor diversity. Even when excluding prolific groups such as Clop and RansomHub from the data, the remaining figures still show substantial growth in victim counts.

The increase in ransomware groups is attributed in part to the realignment and reformation of ransomware gangs following law enforcement disruptions, which resulted in splintered or rebranded groups resuming operations under new names. The developments not only complicate tracking and attribution but also challenge defenders who must prepare for a broader range of tactics and targets.

Other findings in the report included a 75% increase in actively exploited flaws compared to the same period in 2024 and that manufacturing, retail and technology industries were the most heavily affected by ransomware in the first quarter.

“This record-breaking quarter was no coincidence,” explains Grayson North, principal security consultant of the GuidePoint Research and Intelligence Team. “We’re tracking more active ransomware and extortion groups than ever before, with a noticeable rise in high-volume attacks from emerging players formed out of disrupted gangs, like LockBit and AlphV.”

“The pressing question now is whether this surge represents a residual short-term spike or the beginning of a dark year for ransomware victims,” added North.

Image: SiliconANGLE/Reve