Emsisoft 
The State of Ransomware in the U.S.: Report and Statistics 2025
Introduction
Despite arrests, takedowns, and the apparent collapse of several major ransomware groups, 2025 delivered no slowdown in ransomware harm. Victim numbers climbed sharply, new groups emerged, and attackers increasingly found success with social engineering over technical exploits.
Disappearance of Major RaaS Groups — and the Rise of New Ones
As I sit down to look back on the year that was 2025, I’m struck by how much things have changed, yet how much they’ve stayed the same.
Despite notable progress by international law enforcement in disrupting ransomware gangs—through arrests, infrastructure seizures, and dark-web takedowns—the overall number of victims continues its relentless rise.
2025 by the Numbers
To analyze ransomware activity in 2025, we relied on global data from RansomLook.io and Ransomware.live, two highly respected platforms that track ransomware victim claims across dark-web leak sites, criminal forums, Telegram channels, and other underground sources.
Their different approaches to tracking activity yield slightly different data, providing independent but largely consistent data sets, particularly since 2023. We’ve analyzed data from the last several years to see what trends, if any, present themselves.
Victim Growth Continues Unabated
The number of victims claimed by ransomware groups over the last 3 years has continued to steadily increase. Although these claims are not always accurate, the numbers nevertheless give us visibility into general trends. It’s important to remember that these numbers are without a doubt significantly lower than the actual number of victims, as only the minority of incidents get reported and tracked.
| RansomLook.io | 2023 | 2024 | 2025 |
| Claimed victims | 5422 | 6034 | 8835 |
| Year/year growth | 19% | 11% | 46% |
| Ransomware.live | 2023 | 2024 | 2025 |
| Claimed victims | 5336 | 6129 | 8159 |
| Year/year growth | 87% | 15% | 33% |
Since 2023, the number of globally claimed victims has increased from approximately 5400 annually to over 8000 in 2025. Double digit annual growth has led to 2023/2025 increases of between 53% (using Ransomware.live data) and 63% (RansomLook.io data).
There has been speculation amongst ransomware observers that international law enforcement activity targeting ransomware groups and their affiliates has resulted in fragmentation and emergence of new ransomware groups. This is difficult to establish, but the data related to group activity can provide some interesting insights.
As the number of victims has grown, so has the number of ransomware groups. In fact, the number of groups seems to keep pace with the number of victims, as the average number of victims per active group has remained relatively steady since 2023. Perhaps the attention that large ransomware groups draw from law enforcement results in regular splintering and rebranding of successful operators.
| RansomLook.io | 2023 | 2024 | 2025 |
| Active Groups | 72 | 103 | 141 |
| Active Group Increase | 16% | 43% | 37% |
| Avg Victims/Group | 75 | 59 | 63 |
| Ransomware.live | 2023 | 2024 | 2025 |
| Active Groups | 71 | 96 | 126 |
| Active Group Increase | 9% | 35% | 31% |
| Avg Victims/Group | 75 | 64 | 65 |
There continues to be a lot of churn with the top ransomware groups with the most claimed victims. Over the past 3 years, the top 5 groups have been:
| RansomLook.io Group (victims) | 2023 | 2024 | 2025 |
| 1 | Lockbit 3 (1054) | Ransomhub (632) | Qilin (1029) |
| 2 | Alphv (454) | Lockbit3 (585) | Akira (640) |
| 3 | Cl0p (399) | Play (354) | Cl0p (549) |
| 4 | Play (305) | Akira (313) | Play (385) |
| 5 | 8base (280) | Hunters (234) | Safepay (380) |
| Ransomware.live Group (victims) | 2023 | 2024 | 2025 |
| 1 | Lockbit 3 (1054) | Ransomhub (611) | Qilin (1058) |
| 2 | Alphv (627) | Lockbit3 (537) | Akira (750) |
| 3 | Cl0p (389) | Play (367) | Cl0p (518) |
| 4 | Play (318) | Dispossessor (344) | Play (391) |
| 5 | 8base (278) | Akira (317) | Incransom (388) |
Law Enforcement Pressure and Group Disappearances
Despite the growing victim counts, 2025 saw several well-known ransomware groups either go silent or disappear entirely. While not all cessations can be directly attributed to law enforcement action, many strongly suggest disruption.
Notable groups that ceased or paused activity in 2025 include:
- RansomHub – last post Jan 24 2025 – Qilin’s gain?
- Babuk-Bjorka – last post Apr 4 2025
- FunkSec – last post Mar 19 2025
- BianLian – last post Mar 31 2025
- 8Base – last post Feb 1 2025 – LEO takedown
- Cactus – last post Jan 30 2025
- Hunters International, Jan 20 2025 – Posted note on DLS stating decision to shut down
The disappearance of successful groups often results in open competition to attract the most productive affiliates. We can hold out hope that although victim counts continue to increase, the pressure being applied by international law enforcement activity does appear to be having an impact on the criminal gangs.
Loose affiliations: The year of Scattered Spider, ShinyHunters, Lapsus$ and Scattered LAPSUS$ Hunters
Scattered Spider and ShinyHunters had an infamously active year in 2025, but they’ve been around for a while and had alarmingly active periods in the past. ShinyHunters raised a lot of eyebrows in spring of 2020 when they emerged and claimed to be selling hundreds of millions of records from multiple sources, including Microsoft. In 2025 they breached multiple companies with their social engineering tactics targeting Salesforce customers. They appear to crave the attention, or more accurately, the notoriety of these attacks. This sort of hubris suggests a lack of vision and maturity, as notoriety garners the attention of law enforcement agencies which have targeted and arrested some members of ShinyHunters. Scattered Spider on the other hand made headlines with high-profile attacks on UK companies including Marks & Spencer, Co-op, and Harrods resulting in four arrests.
In an egregiously uninspired display of branding, the loosely affiliated hacker groups Scattered Spider, ShinyHunters and Lapsus$ joined forces to form Scattered Lapsus$ Hunters and proceeded to breach Jaguar Land Rover in the UK. This attack alone is estimated to have had a cost the UK GDP an eye-watering $2.55B.
The key takeaway from all of this is that these criminal groups are good at social engineering: convincing people over the phone to hand over login credentials. This kind of threat will only get worse with AI-generated deep fakes, so effective cybersecurity involves not only technological solutions, but awareness: informed and educated employees are a key component of a solid defensive stance.
Conclusion: Disruption Without Decline
The ransomware landscape in 2025 tells a sobering story. Law enforcement efforts are working—they are fragmenting major groups, forcing shutdowns, and creating instability at the top. Yet this disruption has not translated into fewer victims.
Instead, ransomware has become more decentralized, more competitive, and more resilient. As long as affiliates remain plentiful and social engineering remains effective, victim counts are likely to continue rising.
Emsisoft Endpoint Protection: Award-Winning Security Made Simple
Experience effortless next-gen technology. Start Free TrialThe path forward cannot rely on technology alone. Cyber resilience now depends equally on human awareness. Educated employees, tested incident-response plans, and realistic threat modeling are essential defenses in a world where ransomware groups may fall, but ransomware itself shows no sign of slowing.
