Ransomware attacks in 2024 had an upward pattern and will likely continue in 2025 as many more new victims were listed in ransomware groups’ data leak websites in January and February. Cybersecurity company Cyble recently reported that about 599 victims were added to data leak sites in February and 518 in January.
Most of the victims are located in the United States. The number of U.S. victims increased by 149% compared to the first 35 days of 2024. 282 new U.S. victims were listed on data leak sites in the first 35 days of 2024, and 378 were listed at the same time in 2025. Attacks on Canadian companies significantly increased from 14 attacks in the first 35 days of 2024 to 46 attacks in the same time in 2025. Although attacks in North America still rise, the number of attacks in other nations has little changes.
Cycle notes the spike in ransomware attacks in North America is probably because of the belief within ransomware groups that attacks in the region tend to get ransom payments than attacks in other places. This may be a result of some remarkably publicized ransomware attacks in 2024 that succeeded in getting sizable ransom payments. Information from Chainalysis shows increasing unwillingness of victims to give ransom payments, as ransom payments decline by 35% year-over-year. Nevertheless, that can prompt ransomware groups to carry out more attacks.
At the beginning of 2024, the most prolific ransomware group was LockBit. However, because of a law enforcement operation, the LockBit group operation was disrupted and never fully recovered. Many of the group’s experienced affiliates turned to other groups like RansomHub and ALPHV/BlackCat group, which grew quickly to becoming 2024’s most prolific group.
This 2025, RansomHub has slipped to 5th place conducting only 23 attacks after Cl0p with 81 attacks, Akira with 63 attacks, Lynx with 32 attacks, and Qilin with 29 attacks. Cyble stated that LockBit is organizing a comeback and could once more become the most active ransomware group this 2025.
Healthcare is a popular sector targeted by ransomware groups with no less than 33 attacks to date in 2025. Other sectors more often targeted are construction with 50 attacks and professional services with 47 attacks. IT and IT service providers had 29 attacks with the possibility of the attacks impacting downstream clients.
The attack volume increased year over year, which indicates that ransomware attacks will continue. Businesses must always give attention to improving their defenses, beginning with enhancements to baseline security. Healthcare organizations need to ensure HIPAA compliance to protect against possible cyberattacks.