Scattered Spider accounted for 42.9% of all actor-related alerts in the second half of 2025.

In the second half of 2025, ransomware attacks against Canada and the UK accounted for a combined 30% of attacks.

The number of ransomware groups targeting industrial organizations increased 49% year-over-year to 119 groups, collectively impacting 3,300 organizations globally.

Organizations with comprehensive OT visibility detect and contain OT ransomware incidents in an average of 5 days, compared to the industry-wide average of 42 days.

The average dwell time for ransomware in OT environments is 42 days.

Manufacturing accounts for more than two-thirds of all ransomware victims.

Ransomware attacks against industrial organizations increased 64% year-over-year.

In the second half of 2025, 40% of all ransomware attacks targeted US-based companies.

70% of global ransomware activity targets English-speaking countries.

44% of attacks in the Automotive and Smart Mobility ecosystem are ransomware-related, more than double the volume in 2024.

90% of ransomware incidents exploit firewalls through a CVE or a vulnerable account.

The fastest ransomware case observed, involving Akira ransomware, takes just three hours from breach to encryption.

96% of incidents involving lateral movement end with the release of ransomware.

Publicly disclosed ransomware increased by 49% year-on-year, reaching 1,174 incidents, nearly four times higher than in 2020.

The Play ransomware group accounted for 5% of disclosed ransomware attacks in 2025.

The Qilin ransomware group claimed 1,115 victims in 2025, making it the most active ransomware group across disclosed and undisclosed attacks.

A total of 130 different ransomware groups carried out attacks in 2025.

The United States accounted for 58% of all recorded disclosed ransomware attacks in 2025.

The services industry recorded a 118% year-on-year increase in ransomware attack volume in 2025.

The healthcare sector accounted for 22% of all disclosed ransomware attacks in 2025.