Cyble’s Annual Threat Landscape Report for 2025 documents a cybercrime environment that remained volatile even as international law enforcement agencies escalated disruption efforts. Large-scale takedowns, arrests, and infrastructure seizures failed to slow adversaries for long. Instead, cybercriminal ecosystems fractured, reorganized, and re-emerged across decentralized platforms, encrypted messaging channels, and invitation-only forums. The ransomware landscape, in particular, demonstrated a capacity for rapid regeneration that outpaced enforcement pressure.
According to Cyble’s report, ransomware was the most destabilizing threat category throughout 2025. Attacks expanded across government, healthcare, energy, financial services, and supply-chain-dependent industries. Many groups moved away from encryption-centric campaigns toward extortion-only operations, relying on data theft, public exposure, and reputational damage to extract payment. This shift reduced operational friction and shortened attack cycles, making traditional detection and containment models less effective.
Artificial intelligence further reshaped attacker operations. Cyble observed AI-assisted automation being embedded into multiple stages of the kill chain. Negotiation workflows were partially automated. Malware became more polymorphic. Intrusion paths were adapted in real time as defenses responded. These developments increased attack velocity while compressing dwell time, forcing defenders to operate with narrower margins for response.
Measured Threat Activity Across Underground Ecosystems
CRIL tracked 9,817 confirmed cyber threat incidents across forums, marketplaces, and leak sites during 2025. These incidents impacted organizations spanning critical infrastructure, government agencies, and law enforcement entities.
The breakdown of activity was heavily skewed toward monetized data exposure. 6,979 incidents involved breached datasets or compromised information advertised for sale. Another 2,059 incidents centered on the sale of unauthorized access, including credentials, VPN entry points, and administrative footholds. Government, law enforcement agencies (LEA), BFSI, IT & ITES, healthcare, education, telecommunications, and retail remained in the most consistently targeted sectors.
Geographic analysis showed a clear concentration of activity in Asia, where 2,650 incidents affected organizations through breaches, leaks, or access sales. North America followed with 1,823 incidents, while Europe and the United Kingdom recorded 1,779 incidents. At the country level, the United States, India, Indonesia, France, and Spain experienced the highest volume of targeting during the year.
Ransomware Growth and Structural Expansion
Cyble’s Annual Threat Landscape Report quantifies the scale of ransomware’s expansion over time. From 2020 to 2025, ransomware incidents increased by 355%, rising from roughly 1,400 attacks to nearly 6,500. While 2023 marked the largest year-over-year surge, 2025 produced the second-largest spike, with 47% more attacks than observed across the prior two years combined.
The ransomware landscape also broadened structurally. CRIL identified 57 new ransomware groups and 27 new extortion-focused groups emerging in 2025 alone. More than 350 new ransomware strains surfaced during the year, many derived from established codebases such as MedusaLocker, Chaos, and Makop. Rather than consolidating, the ecosystem continued to fragment, complicating attribution and enforcement.
Affiliate Mobility and Repeat Victimization
One of the most consequential trends documented in the Annual Threat Landscape Report was the recurrence of victim targeting. CRIL observed 62 organizations listed by multiple ransomware groups within the same year, sometimes within weeks. Across a five-year window, more than 250 entities suffered ransomware attacks more than once.
This pattern reflected widespread affiliate mobility. Ransomware-as-a-Service operators shared affiliates who moved between platforms, relisted victims, and reused stolen data to sustain pressure. Groups such as Cl0p, Qilin, Lynx, INC Ransom, Play, LockBit, and Crypto24 repeatedly claimed overlapping victims during short timeframes.
Several new groups, including Devman and Securotrop, initially operated within established RaaS programs before developing independent tooling and infrastructure. This progression blurred the line between affiliate and operator and further decentralized the ransomware landscape.
Law Enforcement Pressure and Criminal Countermoves
Law enforcement activity intensified throughout 2025. Authorities disrupted operations tied to CrazyHunters and 8Base and arrested or indicted affiliates associated with Black Kingdom, Conti, DoppelPaymer, RobbinHood, Scattered Spider, DiskStation, Ryuk, BlackSuit, and Yanluowang.
These actions forced tactical changes but did not suppress activity. CRIL confirmed insider recruitment efforts by Scattered Spider, LAPSUS$ Hunters, and Medusa. Other groups, including Play and MedusaLocker, publicly referenced similar recruitment strategies through announcements on their data leak sites. The ransomware landscape responded to enforcement pressure by becoming opaquer rather than less active.
Tactical Shifts Toward Extortion-Only Models
Operational realignment became more visible in 2025. Hunters International abandoned its RaaS model and rebranded as World Leaks, repositioning itself as an Extortion-as-a-Service provider while maintaining cross-relationships with RaaS operators such as Secp0. Analysis also indicated that Everest redirected part of its activity toward extortion-only campaigns, reducing reliance on encryption payloads.
The year also saw widespread rebranding. Hunters International became World Leaks. Royal re-emerged as Chaos. LockBit 3.0 evolved into LockBit 4.5 and later 5.0. HelloKitty resurfaced as Kraken. At the same time, numerous groups dissolved or ceased operations, including ALPHV/BlackCat, Phobos/8Base, Cactus, RansomHub, and CrazyHunter.
Victimology and Sector Impact
Ransomware victimology data revealed 4,292 victims in the Americas, 1,251 in Europe and the UK, 589 across Asia and Oceania, and 202 within META-region organizations. The United States accounted for 3,527 victims, followed by Canada (360), Germany (251), the United Kingdom (198), Brazil (111), Australia (98), and India (67).
Sectoral impact remained uneven but severe. Manufacturing recorded 600 impacted entities, with industrial machinery and fabricated metal manufacturers bearing the brunt. Healthcare followed with 477 victims, where general hospitals and specialty clinics were repeatedly targeted to exploit the sensitivity of Personal Health Information.
Construction, professional services, IT & ITES, BFSI, and government organizations also experienced sustained pressure.
Supply Chain Exploitation and Infrastructure Risk
Supply chain compromise emerged as a defining feature of the 2025 ransomware landscape. Cl0p’s exploitation of the Oracle E-Business Suite vulnerability CVE-2025-61882 affected more than 118 entities worldwide, primarily in IT & ITES. Among these victims were six organizations classified as critical infrastructure industries. Fog ransomware actors compounded supply chain risk by leaking GitLab source code from multiple IT firms.
Government and law enforcement agencies in the United States were targeted aggressively, with more than 40 incidents impacting essential public services. Semiconductor manufacturers in Taiwan and the United States remained priority targets due to their role as global production hubs. European semiconductor developers also faced attacks, though at lower volumes.
High-Impact Incidents and Strategic Targeting
Healthcare attacks continued to cause operational disruption, with repeated exposure of PHI used to intensify extortion pressure. Telecom providers faced sustained risk due to large-scale theft of customer PII, which threat actors actively traded and reused for downstream fraud. In several cases, ransomware groups removed breach disclosures from leak sites shortly after publication, suggesting successful ransom payments or secondary data sales.
Aerospace and defense organizations experienced fewer incidents but higher impact. One of the most significant events in 2025 was the attack on Collins Aerospace, which disrupted operations across multiple European airports and exposed proprietary defense technologies. Telemetry indicated disproportionate targeting of NATO-aligned defense developers.
Cyble’s Annual Threat Landscape Report makes one conclusion unavoidable: ransomware is no longer a disruption-driven threat; it is an intelligence-led, adaptive business model that thrives under pressure. The data from 2025 shows an ecosystem optimized for speed, affiliate mobility, and supply-chain leverage, with AI now embedded deep into extortion workflows and intrusion paths.
The Cyble Annual Threat Landscape Report provides complete datasets, regional breakdowns, threat actor analysis, and tactical intelligence drawn directly from CRIL’s monitoring of underground ecosystems. Readers can download the report to access the detailed findings, charts, and threat mappings referenced throughout this analysis.
Organizations looking to operationalize this intelligence can also book a Cyble demo to see how Cyble’s AI-powered threat intelligence platform translates real-world adversary data into actionable defense, combining automated threat hunting, supply-chain risk visibility, and predictive analytics driven by Cyble’s latest generation of agentic AI.
