Ransomware attacks against industrial organizations increased 64% year-over-year.

Organizations with comprehensive OT visibility detect and contain OT ransomware incidents in an average of 5 days, compared to the industry-wide average of 42 days.

The average dwell time for ransomware in OT environments is 42 days.

70% of global ransomware activity targets English-speaking countries.

In the second half of 2025, 40% of all ransomware attacks targeted US-based companies.

In the second half of 2025, ransomware attacks against Canada and the UK accounted for a combined 30% of attacks.

Scattered Spider accounted for 42.9% of all actor-related alerts in the second half of 2025.

44% of attacks in the Automotive and Smart Mobility ecosystem are ransomware-related, more than double the volume in 2024.

90% of ransomware incidents exploit firewalls through a CVE or a vulnerable account.

The fastest ransomware case observed, involving Akira ransomware, takes just three hours from breach to encryption.

96% of incidents involving lateral movement end with the release of ransomware.

Manufacturing accounts for more than two-thirds of all ransomware victims.

The number of ransomware groups targeting industrial organizations increased 49% year-over-year to 119 groups, collectively impacting 3,300 organizations globally.

The services industry recorded a 118% year-on-year increase in ransomware attack volume in 2025.

The healthcare sector accounted for 22% of all disclosed ransomware attacks in 2025.

The education sector saw ransomware attacks decrease by approximately 12% year-on-year in 2025.

Approximately 86% of ransomware attacks are never publicly reported.

The Qilin ransomware group claimed 1,115 victims in 2025, making it the most active ransomware group across disclosed and undisclosed attacks.

The Play ransomware group accounted for 5% of disclosed ransomware attacks in 2025.

The United States accounted for 58% of all recorded disclosed ransomware attacks in 2025.