The first half of this year saw a sharp rise in the number of ransomware attacks, with US companies, small and medium-sized businesses (SMBs), and manufacturing firms among the hardest hit.
Between January and June, 4,198 ransomware cases were exposed on the dark web, up 49% from the 2,809 cases recorded in 2024, according to data compiled by NordStellar.
"We're only halfway into the year, but the number of ransomware attacks has already doubled, signifying that these attacks remain effective and profitable enough for cyber criminals to ramp up their efforts," said Vakaris Noreika, a cybersecurity expert at NordStellar.
"Some factors that could contribute to the growth in ransomware attacks include the rise in Ransomware as a Service (RaaS), expanded attack surfaces from remote or hybrid work models and economic uncertainty that could encourage more people to seek illegal income and turn to cybercrime."
US businesses were hit the hardest, accounting for 596 incidents - 49% of all cases - followed by Germany with 84, Canada with 74, the UK with 40, and Spain with 37.
"Not only is the US home to many profitable businesses, but the companies also have a higher profile. As a result, they're more likely to give into ransomware demands to reduce the impact of the reputational damage resulting from an attack", said Noreika.
"Strict regulations are also a significant factor to consider — laws on data protection and operational uptime can urge companies to resolve ransomware incidents quickly and not risk the fines or loss of their clients and partners' trust."
There were 223 recorded cases in the manufacturing industry alone, followed by construction with 97 and the IT industry with 88.
Researchers noted that this is because of challenges enforcing and centralizing security across geographically dispersed locations, as well as a reliance on outdated and unpatched systems.
The top ransomware players of 2025 so far
Meanwhile, organizations with between 51 and 200 employees and with revenues between $5 million and $25 million faced the most ransomware attacks.
This may be due to a reliance on third-party IT providers and a lack of comprehensive cybersecurity measures, the study noted.
Qilin was the busiest ransomware group during the second quarter of this year, with 214 attacks, followed by SafePay - believed to be responsible for an attack on Ingram Micro earlier this month - with 201 incidents, and Akira with 200.
Researchers stressed the importance of cybersecurity training to tackle phishing scams, along with the use of multi-factor authentication (MFA) and strict password management.
"Aside from raising cybersecurity awareness, companies should also build a comprehensive cybersecurity strategy to detect threats before they escalate," said Noreika.
"This includes implementing endpoint protection, monitoring the dark web for potential data leaks, and keeping a close eye on the company's attack surface for unpatched security vulnerabilities."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The new ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
- A major ransomware hosting provider just got hit US with sanctions
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
15-year-old revealed as key player in Scattered LAPSUS$ Hunters
News 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
