Ransomware Attacks Surge 30% in Q4 2025, Targeting Critical Sectors and Supply Chains Ransomware activity has spiked sharply, with attacks increasing by 30% in the last four months of 2025 compared to the first nine months of the year. Cybersecurity firm Cyble recorded 2,018 claimed attacks in Q4 2025 averaging 673 victims per month while January 2026 saw 679 attacks, maintaining the elevated pace. ### Key Trends and Threat Actors - Qilin led all ransomware groups in January with 115 attacks, followed by Akira (76), Sinobi, and The Gentlemen. - CL0P resurfaced in late 2025, claiming victims in Australia, the U.S., and the UK, including 11 Australian companies across IT, finance, healthcare, and construction. - The U.S. remained the most targeted country, accounting for nearly half of all attacks, while the UK and Australia saw heightened activity due to CL0P’s campaign. ### Targeted Sectors Ransomware groups continued to focus on construction, professional services, and manufacturing, likely due to vulnerabilities in their environments. IT firms also faced frequent attacks, given their access to downstream customer networks. ### Notable January 2026 Attacks - Everest breached a U.S. telecom equipment manufacturer, exfiltrating 11 GB of data, including engineering schematics, PCB layouts, and 3D designs. - Qilin compromised a U.S. airport authority, exposing financial documents, telehealth reports, and internal emails. - Sinobi claimed a breach of an India-based IT services firm, stealing 150 GB of data, including contracts, financial records, and customer data. - Rhysida sold stolen data from a U.S. biotech instrumentation company, including engineering blueprints and NDAs. - RansomHouse targeted a China-based electronics manufacturer, leaking CAD models, PCB designs, and proprietary production data. - INC Ransom breached a Hong Kong precision components supplier, exfiltrating 200 GB of data linked to global tech and automotive brands. - Nitrogen leaked 71 GB of data from a U.S. automotive components firm, including CAD drawings and financial records. - Anubis compromised an Italian maritime port authority, exposing operational data, safety reports, and infrastructure layouts. ### Emerging Ransomware Groups - Green Blood launched a new operation, encrypting files with the “.tgbg” extension and targeting victims in India, Senegal, and Colombia. - DataKeeper introduced a RaaS model with hybrid encryption (RSA-4096), in-memory execution, and TOR-based payment links. - MonoLock debuted a Linux-compatible RaaS using Beacon Object Files (BoF) for stealthy execution, avoiding public leak sites to reduce law enforcement exposure. The sustained rise in ransomware attacks, coupled with the emergence of new threat groups, underscores the evolving tactics of cybercriminals targeting critical infrastructure, supply chains, and high-value industries.

Ransomware and Supply Chain Attacks Hit Record Highs in 2025, Signaling Escalating Threats 2025 marked a sharp escalation in cyber threats, with ransomware and supply chain attacks reaching unprecedented levels, according to a new report from threat intelligence firm Cyble. The year saw 6,604 ransomware attacks a 52% increase over 2024 with December alone recording 731 incidents, the second-highest monthly total of the year. Meanwhile, supply chain attacks surged by 93%, rising from 154 in 2024 to 297 in 2025, as threat actors increasingly exploited third-party vulnerabilities to maximize impact. ### Ransomware Groups Adapt and Expand Ransomware operations remained decentralized and resilient, with affiliates quickly regrouping under new leaders following law enforcement disruptions. Qilin emerged as the dominant group in 2025, claiming 17% of all ransomware victims after RansomHub’s decline likely due to sabotage by rival group Dragonforce. Other top players included Akira, CL0P, Play, and the newcomer Sinobi, with only Akira and Play maintaining their positions from 2024. Cyble documented 57 new ransomware groups, 27 extortion groups, and over 350 new ransomware strains in 2025, many derived from MedusaLocker, Chaos, and Makop families. Among the most aggressive new groups, Devman, Sinobi, Warlock, and Gunra disproportionately targeted critical infrastructure, particularly in government, law enforcement, energy, and utilities. ### Supply Chain Attacks Evolve in Sophistication Supply chain attacks not only doubled but also grew in complexity, moving beyond traditional software package poisoning to exploit cloud integrations, SaaS trust relationships, and vendor distribution pipelines. Attackers increasingly abused upstream services such as identity providers and package registries to compromise downstream environments at scale. A notable example involved attacks on Salesforce via third-party integrations, where threat actors weaponized OAuth-based trust relationships after compromising third-party tokens. Every industry tracked by Cyble was affected, but IT and technology sectors bore the brunt, given their potential to amplify attacks across customer networks. ### Geographic and Industry Targeting The U.S. remained the most targeted nation, accounting for 55% of all ransomware attacks, followed by Canada, Germany, the UK, Italy, and France. By industry, construction, professional services, and manufacturing were the hardest hit, with healthcare and IT also facing significant threats. As 2026 begins, the trends suggest no immediate slowdown, with ransomware and supply chain attacks continuing to evolve in both scale and sophistication.

Ransomware Operators Systematically Neutralize Backups Before Striking A growing trend in ransomware attacks reveals a calculated strategy: threat actors now prioritize disabling backup infrastructure before deploying encryption, ensuring victims have no recovery options. This tactic, documented by MITRE ATT&CK as T1490 (Inhibit System Recovery), is now standard procedure for major ransomware groups. According to Veeam’s 2024 Ransomware Trends Report, attackers targeted backup repositories in 96% of incidents, succeeding in 76% of cases. The method relies on a prolonged dwell period averaging 70+ days during which adversaries map networks, harvest domain admin credentials, and methodically dismantle recovery mechanisms. By the time the ransom note appears, backups are often already purged, retention policies altered, or immutable storage rendered ineffective. The destruction process is systematic: - Mapping backup repositories and retention policies. - Manipulating retention settings to trigger automatic deletion of prior backups. - Abusing time synchronization to bypass immutable locks. - Terminating backup services before encryption begins. Even security measures like immutable storage, quorum controls, and air-gapped vaults fail when attackers operate with legitimate admin credentials. For example, immutable storage protects data blocks but not the management plane attackers can simply shorten retention policies to hours, letting automated purges erase backups. Similarly, quorum controls are bypassed during maintenance windows or by compromising multiple privileged accounts. The result is a 22-day average recovery time (per Gartner), extending to 38 days for enterprises (Total Assure). Recovery efforts don’t begin with data restoration but with containment, forensic preservation, and validating clean restore points a process complicated by the need to rebuild identity infrastructure (Active Directory, domain controllers) first. Every credential active during the attack must be rotated, adding days or weeks before business systems can resume. Some organizations are adopting alternative recovery methods that don’t rely on backups. Solutions like Halcyon target three layers of the attack chain: 1. File resilience: Intercepting encryption in real time before files are written to disk. 2. Lateral movement prevention: Limiting the spread of encryption to additional systems. 3. Key capture: Extracting cryptographic keys at execution to enable direct decryption, bypassing the need for backups. The disconnect between preparedness and reality is stark: Halcyon’s survey of 100 security leaders found most organizations believed their backups were secure until they weren’t. With attackers now dedicating weeks to neutralizing recovery options, traditional defenses are proving insufficient.