Encryptionless Extortion increasing as Ransomware Groups Shift Strategies
Ransomware attacks continued to climb in 2025 as attackers increasingly timed operations around year-end staffing spaces and shifted away from traditional file encryption, according to new research study from NordStellar.
The report shows ransomware events increased 45% from the previous year, climbing from 6,395 cases in 2024 to 9,251 in 2025. Activity picked up late in the year, with December accounting for 1,004 events, the greatest regular monthly total taped over the past two years. Smaller sized production organizations were amongst those most regularly targeted.
“In the final quarter of 2025, ransomware groups exploited end-of-year cybersecurity gaps brought on by lowered staffing and monitoring,” stated Vakaris Noreika, a cybersecurity specialist at NordStellar. “However, the pattern has been upward the whole year.”
Different analysis from Symantec and Carbon Black’s Danger Hunter Group reported that ransomware stars publicly claimed 4,737 attacks in 2025, somewhat greater than the 4,701 recorded in 2024. When encryptionless extortion events were consisted of, overall extortion activity increased to 6,182 attacks, a 23% increase year over year.
Production Sees the Most Pressure
Production companies experienced more ransomware activity than any other sector in 2025. NordStellar data shows producing represented 19.3% of all ransomware occurrences, with 1,156 attacks recorded during the year, a 32% increase from 2024. On the other hand, the education sector represented 3.6% of attacks in 2025.
Smaller sized companies bore the force of that activity. Companies with up to 200 employees and annual income of $25 million or less were targeted more often than bigger enterprises.
The U.S. continued to account for the majority of ransomware activity, representing 64% of reported cases worldwide. NordStellar tracked 3,255 attacks against U.S.-based companies, up 28% from the previous year. Canada and Germany also saw sharp increases.
“SMBs are appealing targets for ransomware attacks because they often do not have security staff and tools and run within restricted cybersecurity budgets,” Noreika said. “Smaller organizations are also more likely to count on out-of-date software application, have restricted security tracking, and count on external vendors for IT support.”
Ransomware Groups Reshuffle
Changes in targeting accompanied more comprehensive shifts in the ransomware-as-a-service community. A number of recognized groups closed down during 2025, while newer operations broadened by taking in displaced affiliates.
Qilin became the most active ransomware operation, with 1,066 cases, a 408% increase from 2024. Akira followed with 947 cases, up 125% year over year.
RansomHub, which led ransomware activity previously in the year, went offline in April after internal disagreements. LockBit had currently stopped operations following significant disruptions in late 2024.
Symantec recognized 134 ransomware groups active in 2025, compared to 103 in 2024, a 30% boost.
Extortion Without Encryption
Attack methods continued to develop as more groups deserted file encryption in favor of pure data extortion.
The Snakefly group, which runs Cl0p ransomware, played a prominent function after exploiting zero-day vulnerabilities in enterprise software application. In October, the group targeted Oracle E-Business Suite users through a critical vulnerability, CVE-2025-61882. According to Symantec, the vulnerability had actually been made use of considering that August.
Researchers likewise tracked the introduction of Warlock ransomware, which appears to originate from China instead of standard ransomware strongholds. Warlock was very first observed in June 2025 and gained attention the following month after making use of a zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770.
“The involvement of Chinese espionage actors in ransomware is a growing phenomenon,” Symantec’s report said. “The opponents behind Warlock appear to be a various breed of cybercriminal, where cybercrime is among the group’s core activities and not a sideline.”
Getting ready for 2026
Security scientists say companies should presume ransomware pressure will continue to increase.
“Offered the surge in 2025, ransomware events in 2026 are most likely to surpass 12,000,” Noreika said. “Organizations, especially SMBs and those operating in industries where functional downtime is inappropriate, should be on high alert and reassess their preparedness to combat ransomware.”
Security companies continue to suggest standard controls such as routine patching, multifactor authentication, and offline backups to limit disruption when attacks succeed.
For the complete report, check out the NordStellar website here.