Searchlight Cyber has published its latest ransomware report based on dark web intelligence, covering 2025, described as a record year for such attacks. The report, “Ransomware’s Record Year: Tracking a Volatile Landscape in H2 2025” states that ransomware groups listed a record 7,458 victims on dark web leak sites in 2025, representing a 30pc increase compared to 2024.
This report points to a marginal 0.24pc decline in victims in the second half of the year compared to the first. The firm’s researchers also tracked a record-breaking 93 active ransomware groups in the second half of 2025 alone, with 2025 seeing the highest number of new groups emerging on the dark web. The research also identified:
-
A more complex and fragmented landscape: 2025 saw 124 active groups in total, more than any previous year recorded. 73 new ransomware groups were identified across 2025, with 38 appearing in the second half of the year alone.
-
The increasing velocity of victimization: On an annual basis, the growth rate of victims more than doubled, from a 12pc increase in 2024 to 30pc in 2025.
-
Qilin dominated the landscape as the most prolific group, marking a 420pc year-over-year increase in victims.
-
The emergence of “Supergroups”: The report tracks the formation of high-profile collaborations, such as Scattered Lapsus$ Hunters, where threat actors pool talents to scale operations.
-
AI as a catalyst: Artificial Intelligence is lowering the barrier to entry, allowing new groups to automate malware development and conduct hyper-personalized social engineering.
Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, said: “2025 was a record year for ransomware, driven by a professionalized ecosystem that remains devastatingly effective despite increased pressure from global law enforcement. While we saw a very slight dip in victim numbers in the second half of the year, this should not be interpreted as a victory. The landscape continues to fragment; large monolithic syndicates are fracturing into smaller, agile cells, and with the number of active groups at an all-time high, the threat landscape has become more complex and difficult to track than ever before.”
Tactics and top players
The report outlines a shifting leaderboard for the top five most prolific ransomware groups by victim count in H2 2025:
-
Qilin (697 victims)
-
Akira (384 victims)
-
IncRansom (213 victims)
-
Sinobi (180 victims)
-
Play (164 victims)
Qilin caused spikes in victims in October and December following an announced coalition with the Dragonforce and LockBit groups. Meanwhile, newcomers like Sinobi have made the rankings within months of their debut, using a disciplined Ransomware-as-a-Service (RaaS) structure, the cyber firm adds. ‘Shadow Exposure’ in third-party software remains a critical vulnerability. Threat actors are increasingly weaponizing vulnerabilities in software supply chains faster than patch cycles can keep up.
The report stresses the necessity of preemptive approaches to defend against ransomware, detailing methods to combat the Initial Access Broker (IAB) ecosystem and identify sensitive data in third party ransomware leak files before an attack is deployed. Luke Donovan added: “In the high-stakes game of ransomware in 2026, the only way to truly win is to ensure you aren’t an eligible target in the first place. Offensive law enforcement operations are vital, but our data shows they cannot be the only solution. Organizations must adopt a preemptive strategy, maintaining visibility and mitigating exposures to neutralize threats before they escalate into full-blown attacks.”
