Ransomware Expands into New Sectors and Regions, With Public Sector at High Risk A new report from CyberCube’s Global Threat Briefing for H2 2025 reveals that ransomware attacks are increasingly targeting sectors and regions previously considered lower-risk. The analysis, which examined incident patterns, threat actor behavior, and security postures, highlights a shifting landscape where attackers exploit weaker defensive baselines and slower adoption of security controls. Ransomware incidents are growing fastest in regions with historically lower attack volumes, driven in part by the expansion of established groups like LockBit. The report underscores that threat actors are drawn to areas with less mature cybersecurity infrastructure, making it harder for organizations to anticipate emerging risks. Industry comparisons show significant variation in defensive strength. While some sectors demonstrate strong security hygiene and fewer vulnerabilities, others exhibit weaker controls—such as exposed remote services, outdated software, and open ports—correlating with higher ransomware activity. Notably, security posture varies widely even within the same industry, meaning sector classification alone is not a reliable predictor of resilience. The public sector emerges as a particularly high-risk target. The report finds that 53% of state and local government offices worldwide fall into a high-risk category for LockBit attacks, placing them among the most exposed groups in the dataset. Many public sector organizations struggle with inconsistent security practices, though some maintain robust defenses. The analysis groups these entities into risk clusters based on exposure and security posture: - 16% exhibit both high exposure and weak security, making them prime targets due to slow patching and visible attack surfaces. - 19% show high exposure but stronger controls, reducing the likelihood of successful ransomware deployment despite remaining attractive targets. - The remaining organizations have lower exposure, where targeted improvements could yield faster risk reduction. The report emphasizes that early indicators—such as rising negative cyber signals, shifting exposure patterns, and threat actor movement—can help forecast future attack trends. Ransomware growth often aligns with unpatched vulnerabilities, expanded attack surfaces, and delayed remediation, reinforcing the need for proactive monitoring and adaptive defenses.