Ransomware groups listed a record 7,458 victims on dark web leak sites in 2025, representing a significant 30% increase compared to 2024, according to a report by Searchlight Cyber.

This annual data demonstrates a persistent and growing threat, despite a marginal 0.24% decline in victims in the second half of the year compared to the first. Searchlight researchers also tracked 93 active ransomware groups in H2 alone, with 2025 seeing the highest number of brand-new groups emerging on the dark web.

The research also identified a more complex and fragmented landscape, with 124 active groups in total in 2025, more than any previous year recorded. 73 new ransomware groups were identified across 2025, with 38 appearing in the second half of the year alone.

Qilin dominated the landscape as the most prolific group, marking a 420% year-over-year increase in victims. Alongside this was the emergence of ‘supergroups’ formed from high-profile collaborations such as Scattered Lapsus$ Hunters, in which threat actors pool specialised talents to scale operations.

Luke Donovan, head of threat intelligence at Searchlight Cyber, said: “2025 was a record year for ransomware, driven by a professionalised ecosystem that remains devastatingly effective despite increased pressure from global law enforcement.

“While we saw a very slight dip in victim numbers in the second half of the year, this should not be interpreted as a victory. The landscape continues to fragment; large monolithic syndicates are fracturing into smaller, agile cells, and with the number of active groups at an all-time high, the threat landscape has become more complex and difficult to track than ever before.”

---