The Global Ransomware Landscape in 2025: 7,419 Victims, 126 Groups, and the Year Everything Changed

Methodology and Data Sources

This analysis draws primarily on ransomware.live, which continuously monitors dark web data leak sites operated by ransomware groups worldwide and records victim claims as they are published. It is the same dataset that underpins our UK-specific monthly analyses. We cross-reference it against reporting from Comparitech's 2025 end-of-year roundup, the Searchlight Cyber annual victim count, BlackFog's state of ransomware reports, Check Point Research's quarterly analyses, Cyfirma's monthly tracking, NordStellar, Sophos, Chainalysis, and Dragos.

A critical methodological note applies to every figure in this analysis. The data represents claims published on dark web leak sites by ransomware groups — predominantly the output of double extortion campaigns where groups encrypt data and/or threaten to publish it unless ransoms are paid. This is not a complete record of ransomware incidents globally. Most attacks that result in payment are never published. Many organisations that experience ransomware never disclose it publicly. BlackFog estimates that approximately 86% of ransomware attacks in 2025 went undisclosed. Comparitech counts 1,173 attacks confirmed publicly by the affected organisations, against a total victim claim count of 7,419 — meaning roughly 84% of claimed victims did not publicly acknowledge the incident.

The 7,419 figure, and all derivative statistics, represent the visible surface of ransomware activity. The true scale is significantly larger.

The Scale: 7,419 Victims, a 32% Increase, and Record Group Count

Comparitech recorded 7,419 ransomware victim claims globally in 2025, a 32% increase over the 5,631 recorded in 2024. Ransomware.live tracked a similar figure, with approximately 7,902 listings on dark web leak sites by year end. Searchlight Cyber's tally stood at 7,458. The variation between datasets reflects methodological differences in how duplicate claims, retracted listings, and non-ransomware extortion are handled. All three datasets point to the same conclusion: 2025 was the most active year for ransomware group victim publication on record.

On the aggregate numbers, one attack claim was published somewhere in the world approximately every 70 minutes on average. At peak periods — February 2025, when Clop's MOVEit and early Oracle exploitation batches coincided with high baseline activity from Qilin, RansomHub, and Akira — the global rate was closer to one every 45 minutes.

The group count is equally significant. Emsisoft identified between 126 and 141 active ransomware groups operating in 2025, up from approximately 70 in 2023 and 100 in 2024. BlackFog counted 130 groups carrying out attacks across the year. Searchlight Cyber identified 73 new groups in 2025 alone. The ecosystem is fragmenting: the top 10 groups accounted for only 56% of all published victims in Q3 2025, down from 71% in Q1, reflecting a market in which affiliate operators are increasingly distributing themselves across multiple platforms rather than concentrating under one dominant brand.

The Monthly Cadence: February's Record and the RansomHub Collapse

The year's monthly cadence tells a story that numbers alone do not fully capture.

January–February: Global victim counts started high and then surged. February 2025 was the single highest month ever recorded for ransomware victim claims, with between 856 and 1,014 published victims depending on the dataset. Clop's mass exploitation campaign using vulnerabilities patched in earlier Oracle and file transfer software updates drove a significant portion of this, alongside high baseline activity from RansomHub, Play, Qilin, and Akira. Cyfirma recorded 956 global victims in February alone, an 87% increase from January. The manufacturing sector saw a 112% monthly increase in February attacks; transportation surged 250%.

March–April: Activity remained elevated, with Q1 2025 recording approximately 2,063 victims, more than double Q1 2024's figures. On the 1st of April 2025, RansomHub — the group that had dominated global ransomware victim counts since mid-2024, averaging around 75 published victims per month — went dark. Its client communication portal went offline. Affiliates speculated about internal disputes. By May 2025, Dragonforce claimed to have absorbed elements of RansomHub's infrastructure under a white-label affiliate service model.

May–June: The ransomware ecosystem entered a transitional period. Q2 saw a 6% dip in the monthly average compared with Q1, partially attributable to the displacement of RansomHub affiliates as they migrated to Qilin, Akira, Play, and independent operations. June marked the approximate point at which Qilin's affiliate recruitment effort from the RansomHub vacancy became visible in the data: the group surpassed 75 victims per month, more than double its Q1 rate of 36, after an estimated 280% jump in claims between April and October. The M&S, Co-op, and Harrods retail attacks in April–May, attributed to Scattered Spider operating through the DragonForce RaaS platform, occurred during this transitional period and dominated UK and global headlines.

July–October: Monthly activity stabilised at historically high levels, approximately 520–540 new victims per month globally. Qilin achieved its single highest monthly output of 181 victims in October, a figure Check Point described as representing approximately 29% of all global attacks that month. The UK's JLR ransomware attack in September — causing an estimated £1.7–1.9 billion in economic damage and a five-week production halt at Halewood — was the UK's single most economically damaging cyber incident. LockBit 5.0 appeared in September, confirming the group's return after the February 2024 Operation Cronos disruption.

November–December: November 2025 was the second-highest month globally at 640 attacks (Cyble data), exceeded only by February. Clop's Oracle E-Business Suite exploitation campaign, using the zero-day CVE-2025-61882, was in full publication mode, pushing dozens of organisations into the victim list as ransom deadlines expired. The year ended with December as a sustained period rather than a holiday lull, with Safepay claiming five UK victims in five days over the Christmas–New Year period alone.

The Groups: Qilin's Dominance, Akira's Consistency, and Clop's Mass Exploitation

Comparitech's full-year group rankings, based on victim claims across all of 2025:

• Qilin: 1,034 claims (14% of all attacks). 172 confirmed. The most prolific ransomware group of 2025 by a substantial margin, quadrupling its 2024 output of 179 victims. Russia-linked, operating since 2022 as the Agenda group. Affiliate share of 80–85% attracted former RansomHub operators in bulk from April onwards. Targets: manufacturing (143 confirmed), services (108), finance (69), retail (50), construction (34). Introduced legal-pressure extortion features in Q2 — tools to file regulatory complaints and contact customers on victims' behalf.
• Akira: 765 claims. 116 confirmed. Consistent operation throughout the year, second-largest group by volume. Predominantly manufacturing and technology targets. Notable attacks include LG Energy Solution (South Korea, 1.67TB stolen). Particularly active against SonicWall VPN vulnerabilities.
• Clop: 454 claims. Mass exploitation operator. Responsible for the Oracle E-Business Suite CVE-2025-61882 campaign that began in October and continued through Q1 2026, and an earlier Oracle exploitation wave in Q1 2025 that drove February's record monthly count. Does not use encryption in most campaigns — pure data exfiltration and extortion. Publication arrives weeks or months after initial access.
• Play: 393 claims. Long-established, consistent group. Predominantly North American targets.
• SafePay: 374 claims. First observed September 2024, became a top-ten group within its first year. Strong UK and German focus, accounting for approximately 10% of its victims in each country. No conventional RaaS structure — appears to operate internally rather than through affiliates.
• INC Ransom: 359 claims. Notable for attacking the CodeRED emergency alert system in November, halting public emergency notifications across multiple US states.

Groups that were prominent in 2024 but significantly diminished or absent in 2025 include LockBit (disrupted by Operation Cronos, February 2024; returned as Lockbit5 in September 2025 but did not recapture former scale), RansomHub (ceased April 2025), BianLian, Hunters International (rebranded as Worldleaks, shifting to data-theft-only model), 8Base, and Cactus. The disruption of these groups did not reduce overall victim counts — their affiliates redistributed to surviving platforms, primarily Qilin.

New Groups That Emerged in 2025

Seventy-three new ransomware groups were identified in 2025 (Searchlight Cyber). Among the most analytically significant:

The Gentlemen: Appeared September 2025, claimed 38 victims in its first month of operation, and announced a 90/10 affiliate split in favour of operators — the highest affiliate share known in the market. This compensation model is specifically designed to attract the most experienced affiliate operators away from established groups.

Worldleaks: Emerged January 2025 as the Hunters International rebrand. Operates data-theft-only extortion, no encryption. Double-struck against UK victims (Wavenet and Thrings in December; Adelphi and Thames Valley Chamber in February 2026).

Sinobi: Appeared mid-2025. Assessed as a rebrand or close affiliate of the Lynx ecosystem. By October it ranked in the global top-five. Notable for targeting UK publishing and IT firms.

Lockbit5: LockBit's return. Debuted December 2025, with the first UK victim (Walters Group) claimed the same month. By March 2026 had claimed 157 victims globally.

Sector Analysis: Manufacturing Breaks Every Previous Record

Manufacturing was the single most targeted sector globally in 2025, accounting for 1,466 victim claims according to Comparitech — a 56% increase over 2024's 937. By NordStellar's count, the sector represented 19.3% of all recorded cases and maintained its position as the most targeted sector for the second consecutive year. KELA put the year-on-year manufacturing increase at 61% in the first nine months of the year.

Average ransom demands against manufacturers more than doubled in 2025, rising from $523,000 in 2024 to approximately $1.16–1.2 million. This reflects the sector's combination of high operational dependency (production lines cannot halt without immediate financial consequences), often unsophisticated security investment relative to revenue, and the increasing digitisation of operational technology environments. Dragos, which specifically tracks OT-adjacent ransomware, confirmed manufacturing as the most impacted sector in both Q1 and Q2 2025, accounting for 65% of all industrial ransomware incidents in Q2 alone.

The remainder of the sector breakdown across approximately 7,419 claims:

• IT and Technology: 524 incidents (NordStellar), up 35%
• Professional and Scientific Services: 494 incidents, up 30%
• Construction: 443 incidents, up 24%
• Healthcare: 444 claims (Comparitech), 134 confirmed. Broadly flat year-on-year (2% increase), possibly reflecting selective avoidance by some groups (Play consistently avoids healthcare) and improved sector defences after years of high-profile incidents
• Government: 374 claims, 196 confirmed. Up 27% from 2024
• Education: 252 claims, 93 confirmed. Broadly flat (+2%)
• Legal: 346 incidents, up 54%. Average ransom demands for legal firms increased 60% to $611,000, the second-largest sector-specific ransom increase after manufacturing
• Food and Beverage: Up 38%. Notable attacks include Asahi Group Holdings (Japan, 1.9 million customers affected)
• Retail: Up 37%. The UK retail attacks dominate the high-profile subset, but the volume increase extends across the global retail sector
• Transportation: Up 34%

Across the 1,173 confirmed attacks, approximately 59.2 million individual records were compromised. The largest single confirmed breaches were at the University of Phoenix (3.5 million records, Clop/Oracle campaign), DaVita kidney dialysis (2.69 million, Interlock), Co-operative Group (6.5 million members' data, DragonForce/Scattered Spider), and Conduent (15.9 million records, SafePay's single largest breach).

Geography: The United States and the Long Tail

The United States accounted for 3,810 of 7,419 total victim claims — 51.4% of global attacks, consistent with historical patterns and reflecting the concentration of high-value, digitally mature targets, the density of organisations using enterprise platforms exploited in mass campaigns (Oracle EBS, Salesforce integrations), and the dollar-denominated ransom economy that makes US organisations financially attractive ransomware targets.

The top five countries by victim count, and their year-on-year change:

• United States: 3,810 (+33% from 2024's 2,872)
• Canada: 392 (+31% from 300)
• Germany: 303 (+62% from 187 — the largest percentage increase among the top five)
• United Kingdom: 251 (-5% from 264 — the only top-five country to see a year-on-year decline)
• France: 178 (+39% from 128)

After the top five, notable country-level figures for 2025 include Italy (~140–160), Australia (~100, up ~67%), Spain (~90–100), India (~80–90), and Brazil (~50–60). South Korea entered the global top ten in Q3 following Qilin's targeted Korean Leaks campaign against asset management companies, attributable to a compromised upstream MSP. The campaign produced 30 South Korean victims in a single quarter, nearly all in financial services.

The UK's minor year-on-year decline from 264 to 251 should not be read as evidence of improvement. The absolute volume remains similar. The decline relative to other major economies partly reflects the shift in Clop's targeting toward Oracle EBS users concentrated in North America, and SafePay's Q3 focus, which Check Point confirmed was split approximately equally between Germany (20% of SafePay's victims) and the UK (10%). The UK's headline 2025 ransomware story is not in the dark web victim count but in the confirmed high-impact attacks against M&S, Co-op, Harrods, JLR, and the year-delayed confirmation that the 2024 Synnovis attack contributed to a patient death — incidents that do not appear in the ransomware.live data because some were handled without the encryption-and-leak model that generates dark web postings.

Regional Overview

Europe: Reported approximately 400–450 monthly victims at peak periods. Germany's 62% year-on-year increase places it as the fastest-growing major European target. SafePay and DragonForce concentrated disproportionate shares of their European activity in Germany and the UK. France remained in the top five globally. Check Point confirmed 85 active data leak sites operating in Q3 2025 alone, with Europe accounting for approximately 26% of industrial ransomware incidents.

Asia-Pacific: Approximately 467 Group IB-tracked attacks in 2024, with 2025 figures substantially higher. Japan, South Korea, and Australia were the primary targets. Australia experienced a 67% year-on-year increase, entering the global top ten. Japan's Asahi Group Holdings (brewing giant, ~1.9 million customers affected, Qilin) and Huis Ten Bosch (1.5 million records) were among the year's largest confirmed Asia-Pacific breaches. The Qilin Korean Leaks MSP campaign demonstrated how a single compromised service provider can generate dozens of simultaneous victims across an entire sector.

Latin America: Brazil, Argentina, Chile, and Mexico remained the primary targets in the region. RansomHub and INC Ransom had the highest Latin American victim counts in 2025 before RansomHub's collapse in April.

Middle East and Africa: The UAE, Saudi Arabia, and South Africa are the primary targets. The region's attack volume remains lower than the top economies but is growing as digital infrastructure expands. Kaspersky noted that the Middle East and APAC had the highest share of users attacked by ransomware among enterprise regions.

The Year's Defining Incidents

The UK Retail Siege: M&S, Co-op, and Harrods (April–May 2025)

In the spring of 2025, three of the UK's most recognisable retail brands were compromised within ten days of each other, in a coordinated campaign attributed to Scattered Spider operating through the DragonForce RaaS platform. The attacks were technically sophisticated social engineering operations targeting identity infrastructure, particularly Okta configurations and help desk procedures, rather than perimeter vulnerabilities.

Marks and Spencer's attack, which began with initial access in approximately February 2025, resulted in the deployment of DragonForce ransomware on or around the 24th of April. Online orders were suspended. Contactless payments in physical stores were disrupted. Customer personal data was confirmed stolen. M&S reported a £300 million loss in operating profit attributed to the incident, making it the most financially damaging cyber attack on a UK retailer. The Co-operative Group's swift isolation of systems on detection of the attack prevented a full ransomware deployment but still resulted in 6.5 million members' data being exfiltrated by Scattered Spider. Harrods also confirmed a breach in May. Four individuals aged between 17 and 20 were arrested in July 2025 in connection with the UK retail attacks.

Jaguar Land Rover: Britain's Most Economically Damaging Cyber Incident (September 2025)

On the 1st of September 2025, JLR suffered a major ransomware attack attributed to a group calling itself Scattered Lapsus$ Hunters — an apparent collaboration between Scattered Spider, ShinyHunters, and Lapsus$ operating through DragonForce ransomware. Production halted at JLR's Halewood and other UK manufacturing sites during one of the busiest periods of the automotive calendar for new registrations. The five-week production halt generated an estimated £1.7–1.9 billion in national economic damage, with direct JLR revenue impact of approximately £120 million per month and downstream supply chain disruption across hundreds of UK automotive suppliers. Staff at Halewood were told to apply for Universal Credit while production was suspended.

Synnovis: Ransomware Confirmed to Have Contributed to Patient Death

The Qilin ransomware attack on Synnovis — a pathology services provider serving multiple NHS trusts in London — occurred in June 2024. Its significance to 2025 is the formal confirmation of its consequences. In November 2025, UK authorities confirmed that the attack was a contributory factor in an unexpected patient death at King's College Hospital NHS Foundation Trust. The patient had faced extended wait times for blood test results due to the attack's disruption of pathology services, and a detailed investigation identified the cyberattack as a contributing factor. This is one of the first cases globally where ransomware has been formally and officially linked to a patient death — confirming what the healthcare security community had warned was inevitable.

Oracle E-Business Suite: Clop's Platform Exploitation at Scale (October–December 2025)

In October 2025, Oracle issued an emergency patch for CVE-2025-61882, a zero-day vulnerability in Oracle E-Business Suite that enabled unauthenticated remote code execution. Clop had been exploiting the vulnerability silently for weeks prior to disclosure, systematically exfiltrating payroll, HR, and financial databases from organisations running unpatched Oracle EBS environments. Google's GTIG confirmed the campaign. Identified victims included GlobalLogic (Hitachi subsidiary), Barts Health NHS Trust in London, and hundreds of organisations globally across finance, education, and enterprise services. The University of Phoenix suffered a breach affecting 3.5 million individuals. The campaign continued generating UK victim publications throughout Q4 2025 and into January–February 2026.

The Salesforce SaaS Supply Chain Campaign (July–October 2025)

The Scattered Lapsus$ Hunters coalition — also active against JLR — executed a large-scale extortion campaign against organisations using Salesforce-integrated third-party platforms. By compromising developers and support staff at Salesforce integration vendors, the group stole OAuth tokens and signing credentials, enabling island-hopping across client environments. Qantas (5.7 million customers), and organisations including Toyota, McDonald's, and Disney were among confirmed affected parties. The campaign highlighted that in 2025, the SaaS supply chain itself had become a primary ransomware attack surface.

The Encryption Paradox: More Attacks, Less Encryption

One of 2025's most analytically significant trends sits in apparent tension with the volume data. As attack claims reached record highs, the proportion of attacks that involved data encryption fell to its lowest recorded level. Sophos reported that only 49% of attacks in 2025 resulted in data encryption, down from 66% in 2024 and a steep decline from 85% in 2019. The percentage of attacks stopped before encryption occurred reached 47% in 2025, more than double the 22% recorded in 2023.

This trend has a structural explanation. The shift toward pure data exfiltration and extortion — pioneered by groups like Clop and adopted as a secondary capability by Worldleaks (formerly Hunters International) and others — removes the operational complexity and detection risk of deploying encryption payloads. Ransomware groups have discovered that the threat of publishing sensitive data can be as effective a lever as operational disruption, particularly against organisations with regulatory exposure under GDPR, HIPAA, or financial sector data protection frameworks. The fraction of attacks involving extortion without encryption rose from 3% in 2024 to 6% in 2025.

The paradox resolves once the economics are understood. More victims are stopping attacks before encryption, so the encryption rate falls. But groups compensate by increasing volume, ensuring the absolute number of successful data exfiltrations continues to grow. The attack rate rises; the encryption rate falls; the exfiltration rate rises. The net result is more organisations facing extortion pressure from stolen data rather than locked systems.

Payment Economics: Fewer Organisations Paying, But Higher Stakes per Payment

Multiple data sources converge on a picture of declining payment rates throughout 2025. Chainalysis tracked approximately $820 million in on-chain ransomware payments in 2025, a further decline from 2024's $813 million and well below 2023's $1.25 billion peak. Coveware's data shows payment rates falling to 23% in Q3 2025 and approximately 20% in Q4 — levels the firm described as historically unprecedented. Fortinet's figures indicate that 63% of organisations refused to pay in 2025, up from 59% in 2024 and 41% in 2022.

This structural decline in payment rates reflects improved organisational resilience (better backups, tested incident response plans, and increased awareness that payment does not guarantee data deletion), the influence of law enforcement guidance, and the emergence of free decryption tools for some variants.

Yet the individual economics remain severe. Sophos' enterprise survey found a median ransom payment of $1 million in 2025. The average total cost of a ransomware attack — including downtime, recovery, legal, regulatory, and reputational costs but excluding the ransom itself — averaged $1.53 million in recovery costs, down from $3.12 million in 2024, but the global average cost of a breach reached $5.08 million including all factors. For the organisations that did pay, 53% negotiated a lower amount than initially demanded; 29% paid the full demand; 18% ended up paying more. And 69% of organisations that paid were attacked again within a year.

Law Enforcement: Disruption Without Attrition

2025 saw continued and in some respects unprecedented law enforcement activity against ransomware infrastructure. Operation Cronos, which dismantled LockBit in February 2024, had its successor actions in 2025. European authorities acted against several RaaS affiliate operators. Multiple Scattered Spider members were arrested in the UK in July. International cooperation through Europol, the FBI, the NCA, and CISA produced arrests and infrastructure seizures across the year.

The data verdict on law enforcement effectiveness is uncomfortable: disruption does not produce attrition. The total number of active ransomware groups rose from approximately 70 in 2023 to between 126 and 141 in 2025, despite some of the most significant enforcement actions in the threat's history. The explanation lies in the RaaS affiliate model. When a RaaS platform is disrupted, its administrators face legal consequences, but the affiliate operators who conducted the intrusions typically move to other platforms. LockBit's disruption propelled RansomHub; RansomHub's collapse propelled Qilin. The affiliates themselves — the operators who compromise networks, steal data, and deploy payloads — are distributed, pseudonymous, and difficult to individually identify. Check Point Research described the consequence: enforcement disrupts infrastructure and can result in arrests, but it does not eliminate the affiliate operators who drive operational execution, which results in only short-term interruptions.

The UK government's proposed Cyber Security and Resilience Bill, expected to give regulators powers to fine organisations that fail to meet cybersecurity requirements, and proposed legislation to ban public sector organisations from paying ransoms, represent a policy response to this recognition: if enforcement cannot reliably suppress supply, reducing demand through improved organisational resilience and reducing the financial reward through payment bans may be more effective instruments.

Access Vectors: How Ransomware Groups Got In

Sophos' enterprise survey identified the following distribution of initial access vectors in 2025:

• Exploited vulnerabilities: 29% of incidents (the most common technical root cause)
• Phishing: 21%
• Compromised credentials: 21% (down from 29% in 2024)
• Unknown security gap: 40% of enterprise victims cited this as a contributing factor

The specific vulnerabilities most exploited in 2025 include Fortinet FortiGate authentication bypass flaws (CVE-2024-21762, CVE-2024-55591), exploited extensively by Qilin affiliates between May and June 2025; Oracle E-Business Suite (CVE-2025-61882, Clop); SAP NetWeaver Visual Composer (CVE-2025-31324, CVSS 10.0, Qilin); SonicWall SSLVPN (Akira affiliates); and SharePoint ToolShell chained exploits (CVE-2025-53770/53771, APT27/APT31 and Storm-2603). The pattern of enterprise VPN and remote access platform exploitation is consistent across the highest-volume groups: Qilin, Akira, and SafePay all rely primarily on valid or compromised credentials accessing VPN gateways as their standard initial access method.

Cisco Talos identified an additional exfiltration technique becoming increasingly common in Qilin incidents: use of the open-source file transfer tool Cyberduck to move stolen data to cloud services, leveraging trusted cloud infrastructure to conceal malicious data transfer in monitoring tools configured to block known malicious domains but not legitimate cloud storage endpoints.

Artificial Intelligence: Emerging Role, Not Yet Dominant

The role of AI in ransomware operations in 2025 is real but nuanced, and should be characterised accurately rather than sensationally. Two distinct uses emerged during the year.

The first is AI-assisted tooling at the development and support level. FunkSec, a group that appeared in late 2024 and briefly surpassed established groups in December 2024 victim counts, used AI-generated code in its ransomware, identifiable by stylistically unusual but technically correct commenting. The group used AI to accelerate ransomware development without requiring deep programming expertise in its operators.

The second is the use of LLMs for social engineering and phishing at scale, making initial access operations more targeted and linguistically convincing. EncryptHub, which compromised over 600 organisations through spear-phishing and social engineering in 2024–2025, is assessed to have used AI tooling to generate convincing impersonation content.

BlackFog's 2025 annual report noted the detection of the first large-scale ransomware campaign where an AI model was used autonomously during network traversal and data identification phases, operating without continuous human direction during critical attack phases. This represents a qualitative escalation in capability and automation, though it remains an outlier rather than a standard operational approach across the 2025 victim dataset.

What 2025 Means for 2026

Several structural characteristics of 2025 have direct implications for threat modelling going into 2026.

Fragmentation will continue. The number of active groups doubled between 2023 and 2025. Lockbit5's return in December and The Gentlemen's 90/10 affiliate split signal continued competition for affiliate talent. More groups means more parallel independent campaigns, more diverse exploitation toolkits, and less predictable targeting patterns. The probability of a UK SME being claimed by an obscure group that no threat briefing has mentioned is higher in 2026 than it was in 2024.

Platform exploitation will remain the primary mass-scale vector. Clop's Oracle EBS campaign demonstrated that a single zero-day in a widely deployed enterprise platform can generate hundreds of victims simultaneously. The MOVEit campaign of 2023 established the template. Oracle EBS in 2025 executed it at scale. The platforms deployed across UK organisations — enterprise ERP, cloud file transfer, VPN gateways, identity providers — represent exactly the attack surface that mass exploitation campaigns target.

Supply chain and MSP targeting will intensify. The Qilin Korean Leaks MSP breach produced 30 simultaneous victims. Anchor Computer Systems in the UK (February 2026, Qilin) serves over 300 mortgage lenders. Wavenet (December 2025, Worldleaks) managed cybersecurity services for thousands of UK businesses. The return on investment for targeting a service provider that touches hundreds of downstream organisations is substantially higher than targeting individual organisations. This dynamic will not diminish.

The encryption rate will continue to fall while exfiltration rates rise. The shift to pure extortion without encryption removes operational complexity and detection risk for attackers. As more organisations develop encryption-resilient backup and recovery capabilities, the relative value of data theft over system lockdown increases. Organisations that believe strong backups solve the ransomware problem are correct about one half of the threat and wrong about the other.

Payment rates will continue to decline, but the economics of non-payment are not risk-free. Fewer organisations paying is genuinely good news for the ecosystem. But 69% of organisations that paid were attacked again. Organisations that refuse to pay face the publication of sensitive data, regulatory investigation, and client notification obligations. The alternative to payment is not a clean outcome — it is a choice between two different forms of significant harm.