Ransomware continues to dominate the cybersecurity threat landscape in 2025, with Q1 marking a dramatic 213% year-over-year surge in victim disclosures.
According to Optiv’s Global Threat Intelligence Center (gTIC) Report, a staggering 2,314 ransomware victims were listed on 74 distinct data leak sites in the first quarter, up from 1,086 in Q1 2024.
This escalation also coincided with a 32% rise in ransomware variants, surging to 74 from 56 the previous year.
Alongside the sheer increase in numbers, a notable shift has occurred in the threat actor hierarchy, with Cl0p, RansomHub, and Akira surpassing LockBit in terms of impact and visibility.
Rapid Evolution in Tactics
The 2025 landscape is defined not only by increased attack volumes but also by significant tactical evolution and organizational shifts among ransomware operators.
Cl0p, in particular, exhibited a dramatic upsurge, responsible for a 1400% increase in activity, largely attributed to exploitation of zero-day vulnerabilities in Cleo managed file transfer (MFT) solutions (CVE-2024-50623, CVE-2024-55956).
In February alone, Cl0p listed 389 victims, eclipsing its entire 2024 tally of 26. The retail sector bore the brunt of these attacks, aligning with Cl0p’s strategic focus on high-value, downtime-sensitive industries.
RansomHub, operating as a ransomware-as-a-service (RaaS) and employing double extortion, remained highly active until going dark at the end of March 2025, causing speculation about a potential rebrand.
The expanding threat landscape has also witnessed the emergence of new operations such as VanHelsing and Babuk2, the latter of which has raised concerns for employing deceptive social engineering rather than direct ransomware deployment.
Every vertical tracked saw an increase in ransomware incidents, with industrials, consumer cyclicals, and technology being the most targeted sectors.
Consumer cyclicals and technology both faced more than triple the number of attacks compared to the previous year.
North America continues to be the most affected region, though all global geographies experienced significant increases.
Attackers relied on established initial access vectors, including phishing, vulnerability exploitation, and abuse of exposed remote desktop protocols, firewalls, and VPN clients.
Once inside, adversaries leveraged vulnerabilities in high-value infrastructure targets like VMware ESXi, Microsoft Exchange, Zoho ManageEngine, and NAS devices.
The abuse of commonly available remote management and file transfer tools such as Atera RMM, AnyDesk, SplashTop, FreeFileSync, Progress MOVEit, Cleo MFT, and Fortra GoAnywhere remains a constant.
Sustained Profitability Driving Ongoing Threat
Despite increased government scrutiny, law enforcement operations, and the occasional disruption of actor infrastructure, industry experts at Optiv see little incentive for ransomware groups to cease their campaigns.
The proliferation of RaaS offerings, the adoption of double extortion techniques, and increasingly fluid affiliations among ransomware operators are likely to drive further group splinters, rebranding, and the rise of new threat actors throughout 2025.
The continued willingness of victims to pay extortion demands ensures that ransomware remains a lucrative criminal enterprise.
Social engineering, particularly phishing, and the exploitation of high-profile vulnerabilities in file transfer products are expected to remain primary tools for initial access.
Furthermore, state-sponsored advanced persistent threat (APT) groups are predicted to deepen their involvement in ransomware operations for financial gain and as part of broader sabotage efforts, targeting sectors such as healthcare, transportation, and energy.
Analysts at Optiv’s gTIC project with high confidence that ransomware’s prevalence will persist through the coming year, with the threat landscape continuing to evolve rapidly through the adoption of new tactics, tooling, and organizational strategies.
As cybercriminals innovate and collaborate, organizations must remain vigilant and adapt their defenses to counter the increasing scale and sophistication of ransomware campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
