A new GuidePoint Security report reveals the growing threat of ransomware attacks as 2025 is documented as the most active year since the cybersecurity firm began its reports. Victims increased by 58% year-over-year with 2,287 unique victims in Q4 of 2025 alone. The GuidePoint Research and Intelligence Team (GRIT) reported December as the most active month when it comes to claimed victims, which rose by 42% year-over-year to 814 attacks. About 145 new victims were listed on dark web data leak sites weekly in 2025. The year ended with 7,515 claimed victims.
Law enforcement has focused its operations on the most active groups. There have been distinctive successes, but the number of victims still increase. Instead of one or two major actors dominating the ransomware-as-a-service (RaaS) landscape, there is a highly fragmented ecosystem because of the law enforcement operations. In 2025, GRIT monitored 124 smaller ransomware groups that conduct many attacks, employing repeatable operations.
Although ransomware attacks are executed worldwide, ransomware actors are mainly focused on the U.S., where 55% of attacks happened in 2025. Canada encountered 4.5% of the attacks. The manufacturing industry was the most targeted (14% of attacks), then the technology industry (9%), and wholesale/retail industry (7%). The fourth spot is taken by the healthcare industry with over 500 victims.
Qilin is 2025’s most active RaaS group, which targets the healthcare industry. This Eastern Europe based group appeared in June 2024, and is assumed to be the rebranded Agenda ransomware group. Qilin listed 154 victims on its dark web data leak site in 2025 and 890 victims in 2025, now with a total of 1,044 victims. It likely has a large number of affiliates, having their own specialties and tactics. In 2025, Qilin carried out more attacks compared to LockBit when it was most active.
UK pathology lab Synnovis was Qilin’s most notable healthcare victim. Reports say that attack resulted in over $40 million in losses. Qilin is expected to remain as the most prominent ransomware group in 2026, which would likely be targeted by law enforcement. The other threat groups attacking healthcare organizations in 2025 are INC Ransom and SafePay. SafePay attacked Conduent Business Services, which affected 14.7 million individuals in Texas.
Sinobi ransomware group is new but has performed a number of attacks on healthcare providers since mid-2025. The group quickly listed 149 victims on its data leak site in Q4 of 2025, which might mean it is probably a rebrand of an emerging RaaS group or a highly skilled affiliate. In 2026, Sinobi is anticipated to cause a substantial threat to the healthcare industry. LockBit likewise came back after the law enforcement interruption in 2024, and listed 106 new victims on its data leak site in December 2025. It is also likely to be a significant threat to the healthcare industry in 2026. Healthcare organizations need to integrate cybersecurity awareness with their HIPAA training to prepare for these threats.
There is information that ransomware groups are using AI into their operations, usually for social engineering to bypass language limitations, individualize social engineering, and create contextually suitable baits that circumvent traditional detection strategies. They are likewise believed to have used AI to assess the substantial amounts of data they steal in their attacks to determine high-value information and decide the best suited ransom demands. Although there are concerns over AI-powered attacks, threat actors are still limited to using AI to enhance present capabilities, instead of create completely autonomous and AI-coded malware, though this may possibly be adopted in 2026.
2026 will probably see a joining together of criminal development and AI capabilities, challenging defenders to undertake equally advanced technologies and intelligence-led strategies. The companies that could best withstand this development include those that consider quick detection and response, use extensive identity and access controls, and incorporate AI-powered defenses as important aspects of their security structures instead of experimental upgrades.