KELA

In 2025, 70.4% of ransomware attacks, totaling 3,310 incidents, were distributed across other regions.

In 2025, five countries accounted for 1,391 ransomware events, representing nearly 30% of all recorded ransomware attacks.

In 2025, Germany experienced 102 ransomware incidents, representing 2.2% of all attacks.

In 2025, 50% of all ransomware attacks are projected to target critical infrastructure, highlighting the urgent need for enhanced cyber resilience strategies.

Manufacturing has been the #1 targeted industry for ransomware attacks for four consecutive years, according to the IBM X-Force 2025 Threat Intelligence Index.

In 2025, 5.9% of ransomware attacks were attributed to Qilin, 5.9% to Clop, 5.0% to Akira, 2.9% to Play, and 2.7% to SafePay.

Between January and September 2025, KELA observed 4,701 ransomware incidents, representing a 34% year-over-year increase compared to the same period in 2024.

In 2025, ransomware events against critical industries increased by 34% compared to the previous year.

The top five ransomware groups — Qilin, Clop, Akira, Play, and SafePay — were responsible for 938 incidents, accounting for nearly 25% of all ransomware attacks in 2025.

In 2025, there were 103 distinct ransomware threat actors observed targeting critical infrastructure.

Out of 103 active ransomware groups, five groups accounted for nearly 25% of global ransomware incidents.

In 2025, 2,332 ransomware incidents targeted critical infrastructure, accounting for 50% of all incidents, compared to 1,745 incidents, which accounted for 54%, in 2024.

Qilin was responsible for 248 incidents, Clop for 246 incidents, Akira for 209 incidents, Play for 120 incidents, and SafePay for 115 incidents in 2025.

From January 1 to September 1, 2025, there were 4,701 recorded ransomware incidents, with 2,332 incidents (50%) targeting critical sectors such as manufacturing, healthcare, energy, transportation, and financial services.

From January 1 to September 1, 2024, there were 3,219 total recorded ransomware incidents, with 1,745 incidents (54%) targeting critical sectors.

Ransomware attacks against the manufacturing sector surged from 520 incidents in 2024 to 838 incidents in 2025, marking a 61% increase.

In 2025, Italy experienced 74 ransomware incidents, representing 1.6% of all attacks.

In 2025, 77.7% of ransomware attacks were attributed to other actors outside the top five groups.

In 2025, the United States experienced 21.3% of all ransomware attacks, totaling approximately 1,000 incidents.

In 2025, Canada experienced 139 ransomware incidents, accounting for 3.0% of all attacks.

In 2025, half of all ransomware attacks worldwide targeted essential sectors such as manufacturing, healthcare, energy, transportation, and finance, indicating a shift from opportunistic crime to systemic disruption.

Ransomware attacks in the manufacturing sector surged by 61% from 520 incidents to 838 incidents year-over-year, marking the steepest growth among all sectors.

In 2025, the United States accounted for roughly 1,000 ransomware incidents targeting critical infrastructure, representing 21% of all global ransomware attacks.

In 2025, the United Kingdom experienced 76 ransomware incidents, accounting for 1.6% of all attacks.

Both infostealer infections and compromised credentials are on track to surpass 2024 figures, which saw over 4.3 million machines infected with approximately 330 million compromised credentials. This indicates a 24% increase YoY in these areas.

3,662 ransomware victims were tracked globally by KELA in the first half of 2025. This represents a 54% increase year-over-year (YoY) compared to the first half of 2024, as KELA tracked a total of 5,230 victims in all of 2024.

The United States accounted for over half of all ransomware victims in H1 2025.

Clop ransomware experienced a 2,300% increase in victim claims, which was driven by the exploitation of a vulnerability in Cleo software.

2.67 million machines were infected by infostealer malware in H1 2025. This led to more than 204 million compromised credentials being observed.

Credentials for victims of the Play, Akira, and Rhysida ransomware groups were found on cybercrime marketplaces between 5 and 95 days prior to the reported attack.

Among the roles most vulnerable to credential theft, 28% were in Project Management, followed by Consulting (12%) and Software Development (10.7%).

Infostealer activity has surged by 266% in recent years.

The average time between credentials being found and the reported ransomware attack was 2.5 weeks

There was a 52% increase in discussions related to jailbreaking methods on cybercrime forums in 2024 compared to the previous year.

KELA's platform recorded a 200% increase in mentions of malicious AI tools and tactics in 2024.

KELA found a 200% surge in cybercriminals seeking AI to launch attacks.

KELA found a 200% surge in cybercriminals seeking AI to launch attacks.

Over 330 million compromised credentials were linked to infostealer malware.

The top three infostealer malware strains (Lumma, StealC, and RedLine) were responsible for over 75% of infected machines.

3.9 billion credentials were shared in the form of credentials lists (ULP files).

Over 200 new hacktivist groups emerged, conducting more than 3,500 distributed denial-of-service (DDoS) attacks

3.9 billion credentials were shared in the form of credentials lists (ULP files).