If 2025 was meant to be the year ransomware started dying, nobody appears to have told the attackers.

In its 2025 State of Ransomware in the US report, security firm Emsisoft says ransomware attacks continued to climb last year, with more victims appearing on extortion sites and more groups operating than ever before. The figures climbed even as police and prosecutors notched up a string of wins against ransomware groups, such as the global takedown of BlackSuit in August.

Trackers keeping an eye on ransomware leak sites logged more than 8,000 claimed victims worldwide in 2025, a rise of more than 50 percent compared to 2023. The counts come from outfits watching dark web shaming pages such as Ransomware.live and RansomLook.io, so they only include cases where crooks decided to post receipts. Plenty of victims, Emsisoft says, will have paid up, recovered, or kept quiet without ever appearing on a leak site.

Emsisoft's numbers also suggest there are more gangs in the game than there were a couple of years ago, with the count of active ransomware crews climbing from a few dozen in 2023 to well into three figures by the end of 2025. Instead of a handful of mega-brands dominating, the scene now looks messier, with lots of smaller outfits popping up, disappearing, and reappearing under new names as affiliates drift between operations.

That could explain why all the splashy takedowns haven't translated into fewer ransomware attacks. While pulling the plug on a gang's infrastructure might kill one brand, it rarely kills the people behind it, who tend to resurface quickly under a new name or latch onto the next crew looking for experienced hands.

• Are criminals vibe coding malware? All signs point to yes
• IBM's AI agent Bob easily duped to run malware, researchers show
• One criminal, 50 hacked organizations, and all because MFA wasn't turned on
• Cybercrook claims to be selling infrastructure info about three major US utilities

Even so, the same handful of ransomware brands kept turning up again and again on leak sites last year, with names like Qilin, Akira, Cl0p, and Play racking up large victim counts. Emsisoft warns against treating those tallies like a proper leaderboard, though, since some gangs are far louder than others when it comes to naming and shaming victims.

The report also points to a change in how many ransomware break-ins actually start. Bugs and exposed services still play a role, but gangs are leaning harder on old-fashioned tricks such as phishing, stolen logins, and social engineering to get a foot in the door, with crews that include Scattered Lapsus$ Hunters favoring approaches that go straight around perimeter defenses rather than through them.

Emsisoft threat intelligence analyst Luke Connolly says the churn, along with this change in tactics, is what keeps ransomware ticking over: affiliates move on, names disappear, and the same attacks keep happening under different banners.

"As long as affiliates remain plentiful and social engineering remains effective, victim counts are likely to continue rising," he said. ®