Ransomware Attacks Surge to Record Levels, Fueled by New Groups and Weak Security
Ransomware attacks hit an all-time high in 2025, with more victims appearing on data leak sites than ever before, according to a new report from Mandiant Consulting. The surge comes even as overall profitability of ransomware operations declines, driven by improved defenses and law enforcement crackdowns.
“The ransomware ecosystem is in turmoil, but it’s not disappearing — it’s evolving,” said Bavi Sadayappan, lead threat analyst at Mandiant. “We’re seeing a ‘churn and burn’ cycle where old groups collapse and new ones emerge, often more aggressive.”
Key Findings: Exploits, Data Theft, and Virtualization Targets
In one-third of ransomware incidents analyzed, initial access came from exploits of vulnerabilities in VPNs and firewalls. Data theft occurred in 77% of cases, a sharp rise from 57% in 2024. Nearly half (43%) of intrusions targeted virtualization infrastructure, up from 29% the year before.
“Attackers are going after the backbone of modern IT – hypervisors and virtual machines – to maximize disruption,” explained Zach Riddle, senior incident responder at Mandiant. “Once they compromise virtualization, they can hold entire data centers hostage.”
Top Ransomware Families: RedBike Leads the Pack
The most deployed ransomware family in 2025 was REDBIKE, responsible for 30% of incidents investigated. Other notable groups include the reborn Qilin and Akira, which filled vacuums left by dismantled operations like LockBit and ALPHV.
“We’ve seen RaaS groups come and go, but the infrastructure is so commoditized that new players step in within weeks,” noted Ioana Teaca, threat intelligence analyst. “The barrier to entry has never been lower.”
Background
Since 2018, financially motivated cybercriminals shifted from simple data theft to ransomware deployments following network intrusion. The ransomware-as-a-service (RaaS) model proliferated, enabling low-skilled attackers to launch devastating attacks. However, improved cybersecurity practices, better recovery capabilities, and declining ransom payment rates have squeezed profits.
Major law enforcement operations — including takedowns of LockBit, ALPHV, and RansomHub — caused temporary disruptions but failed to stem the tide. Internal conflicts among group members have also led to splintering and rebranding. Mandiant’s data comes from incident response engagements and represents a sample of global ransomware activity, not a complete picture.
What This Means
The record victim count in 2025 suggests that despite reduced profitability, ransomware remains a top threat. Attackers are adapting by focusing on high-impact targets (virtualization) and increasing data theft to pressure victims. The decline in use of traditional tools like BEACON and MIMIKATZ, along with reliance on remote management tools, indicates a shift toward living-off-the-land techniques.
Organizations must prioritize patching VPNs and firewalls, strengthening virtualization security, and preparing for data exfiltration. “This is not a problem that will be solved by a single fix,” said Kimberly Goody, director of cyber investigations. “It requires continuous vigilance, layered defenses, and rapid incident response.”
Genevieve Stark, technical director at Mandiant, added: “The ransomware landscape is more complex than ever. Businesses need to treat ransomware as a business risk, not just an IT problem.”