The number of ransomware groups rockets as new, smaller players emerge
The good news is that the number of victims remains steady
The number of active ransomware groups has reached a record high, with new, smaller groups sliding under the radar.
In its latest quarterly Ransomware & Cyber Threat Report, GuidePoint's research and intelligence team said they'd seen a 57% increase in the number of ransomware groups, rising from 49 in the third quarter of 2024 to an all-time high of 77 now.
The number of victims, though, has remained relatively steady, stabilizing at around 1,500-1,600 per quarter since the last quarter of last year.
More than half of victims this quarter – 56% – were based in the US. No other country came anywhere close, with Germany second at 5% and the UK third at 4%.
The most-hit industries were manufacturing, technology, and the legal sector, with 252 publicly claimed manufacturing attacks during the second quarter, up 26% quarter-over-quarter.
"Ransomware activity has settled into a new normal, averaging 1,500 to 1,600 victims per quarter since late 2024," said Nick Hyatt, senior threat intelligence analyst at GuidePoint Security.
"Yet while overall activity has stabilized, the number of distinct ransomware groups has surged to a record 77 – highlighting both the consolidation of skilled operators within major RaaS (ransomware as a service) platforms and the ongoing churn of emerging or lower-skill actors entering the ecosystem."
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
The Qilin ransomware group was particularly busy. Its activity surged 318% year-over-year, claiming 234 victims this quarter; Akira was next, with 130 victims, the team said.
IncRansom, which first emerged in August 2023, showed a sudden surge in activity during the third quarter, making them the third most active group. The team said it's not clear whether IncRansom will keep this level of activity up.
SafePay, meanwhile, is an insular ransomware group that first appeared in late 2024, but that now claims a total count of 258 victims across 29 distinct industries and 30 countries for the year to date.
And while the research looked at the number of claimed victims from established groups, the team said they'd also seen, anecdotally, an increase in attacks that couldn't be attributed to any known group, or where the threat actors even outright refused to identify themselves.
"This can plausibly be the result of growing distrust in the RaaS construct, reduced barriers to entry for aspiring cybercriminals, or splintering of existing groups resulting in outcast affiliates forced to find a new home," they said.
"In the months and quarters ahead, we will specifically be looking to determine the timelines, efficacy, and victim outputs of such groups to aid in our ongoing analysis and determinations."
And, said Hyatt, the growing diversity of ransomware groups is creating new challenges for defenders.
"While established actors like Qilin and Akira are streamlining their operations, newer groups such as SafePay demonstrate how even small, insular actors can thrive by staying under the radar," he said.
"This 'new normal' isn't a reason for complacency – it underscores the need for sustained vigilance in an increasingly fragmented threat landscape."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption