The first half of this year saw a sharp rise in the number of ransomware attacks, with US companies, small and medium-sized businesses (SMBs), and manufacturing firms among the hardest hit.
Between January and June, 4,198 ransomware cases were exposed on the dark web, up 49% from the 2,809 cases recorded in 2024, according to data compiled by NordStellar.
"We're only halfway into the year, but the number of ransomware attacks has already doubled, signifying that these attacks remain effective and profitable enough for cyber criminals to ramp up their efforts," said Vakaris Noreika, a cybersecurity expert at NordStellar.
"Some factors that could contribute to the growth in ransomware attacks include the rise in Ransomware as a Service (RaaS), expanded attack surfaces from remote or hybrid work models and economic uncertainty that could encourage more people to seek illegal income and turn to cybercrime."
US businesses were hit the hardest, accounting for 596 incidents - 49% of all cases - followed by Germany with 84, Canada with 74, the UK with 40, and Spain with 37.
"Not only is the US home to many profitable businesses, but the companies also have a higher profile. As a result, they're more likely to give into ransomware demands to reduce the impact of the reputational damage resulting from an attack", said Noreika.
"Strict regulations are also a significant factor to consider — laws on data protection and operational uptime can urge companies to resolve ransomware incidents quickly and not risk the fines or loss of their clients and partners' trust."
There were 223 recorded cases in the manufacturing industry alone, followed by construction with 97 and the IT industry with 88.
Researchers noted that this is because of challenges enforcing and centralizing security across geographically dispersed locations, as well as a reliance on outdated and unpatched systems.
The top ransomware players of 2025 so far
Meanwhile, organizations with between 51 and 200 employees and with revenues between $5 million and $25 million faced the most ransomware attacks.
This may be due to a reliance on third-party IT providers and a lack of comprehensive cybersecurity measures, the study noted.
Qilin was the busiest ransomware group during the second quarter of this year, with 214 attacks, followed by SafePay - believed to be responsible for an attack on Ingram Micro earlier this month - with 201 incidents, and Akira with 200.
Researchers stressed the importance of cybersecurity training to tackle phishing scams, along with the use of multi-factor authentication (MFA) and strict password management.
"Aside from raising cybersecurity awareness, companies should also build a comprehensive cybersecurity strategy to detect threats before they escalate," said Noreika.
"This includes implementing endpoint protection, monitoring the dark web for potential data leaks, and keeping a close eye on the company's attack surface for unpatched security vulnerabilities."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The new ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
- A major ransomware hosting provider just got hit US with sanctions
-
MSPs are burned out and overworked as tool sprawl and IT complexity growsNews MSPs are facing an array of challenges, and it’s costing them dearly
-
Upskilling staff is key to mitigating cyber attacks: Here's how a cybersecurity certification can helpISACA's CCOA certification grants access to practical learning opportunities so cybersecurity analysts can grow into their roles and keep their organizations safe
-
Ingram Micro cyber attack: IT distributor says system restoration underway – but some customers might have to wait for a return to normalityNews Ingram Micro is gradually getting back on its feet after a recent cyber attack severely disrupted systems.
-
M&S chair calls for mandatory reporting of cyber attacks after "traumatic" ransomware incident – but will it do more harm than good?News M&S chair Archie Norman has called for mandatory reporting amid claims two large UK companies were hacked without any public knowledge.
-
Arrests made in hunt for hackers behind cyber attacks on M&S and Co-opNews The suspects remain in custody for questioning by officers from the NCA's National Cyber Crime Unit
-
Ransomware attacks carry huge financial impacts – but CISO worries still aren’t stopping firms from paying outNews Increased anxiety over ransomware links directly to its devastating impact on business processes and one’s bottom line
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problemNews More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
-
Developers face a torrent of malware threats as malicious open source packages surge 188%News Researchers have identified more than 16,000 malicious open source packages across popular ecosystems
-
Everything we know about the Ingram Micro cyber attack so farNews A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'News The Hunters International ransomware group is rebranding and switching tactics
