The average dwell time for ransomware in OT environments is 42 days.

70% of global ransomware activity targets English-speaking countries.

44% of attacks in the Automotive and Smart Mobility ecosystem are ransomware-related, more than double the volume in 2024.

96% of incidents involving lateral movement end with the release of ransomware.

The fastest ransomware case observed, involving Akira ransomware, takes just three hours from breach to encryption.

Ransomware attacks against industrial organizations increased 64% year-over-year.

In the second half of 2025, 40% of all ransomware attacks targeted US-based companies.

In the second half of 2025, ransomware attacks against Canada and the UK accounted for a combined 30% of attacks.

Scattered Spider accounted for 42.9% of all actor-related alerts in the second half of 2025.

90% of ransomware incidents exploit firewalls through a CVE or a vulnerable account.

Organizations with comprehensive OT visibility detect and contain OT ransomware incidents in an average of 5 days, compared to the industry-wide average of 42 days.

The number of ransomware groups targeting industrial organizations increased 49% year-over-year to 119 groups, collectively impacting 3,300 organizations globally.

Manufacturing accounts for more than two-thirds of all ransomware victims.

Approximately 86% of ransomware attacks are never publicly reported.

The services industry recorded a 118% year-on-year increase in ransomware attack volume in 2025.

The healthcare sector accounted for 22% of all disclosed ransomware attacks in 2025.

The education sector saw ransomware attacks decrease by approximately 12% year-on-year in 2025.

A total of 130 different ransomware groups carried out attacks in 2025.

The Qilin ransomware group claimed 1,115 victims in 2025, making it the most active ransomware group across disclosed and undisclosed attacks.

The Play ransomware group accounted for 5% of disclosed ransomware attacks in 2025.