Ransomware Attacks Skyrocket 45%, Crippling Small Businesses

NEW YORK, NY – January 28, 2026 – A tidal wave of digital extortion swept across the globe in 2025, with ransomware incidents soaring by a staggering 45%, according to a new report from threat exposure management platform NordStellar. The findings reveal a grim reality for businesses, documenting 9,251 attacks on dark web leak sites, a sharp increase from the 6,395 cases recorded in 2024. The data paints a picture of an increasingly aggressive and sophisticated cybercriminal ecosystem, with small businesses and the manufacturing sector bearing the brunt of the assault.

The surge culminated in a record-breaking end to the year. December 2025 alone saw 1,004 incidents, the highest monthly total in two years, as criminal gangs capitalized on holiday-season security gaps.

"In the last quarter of 2025, ransomware groups deliberately exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring," said Vakaris Noreika, a cybersecurity expert at NordStellar. "However, there has been an upward trajectory the whole year. Ransomware actors are growing increasingly aggressive — given the surge in 2025, the number of ransomware incidents in 2026 is likely to exceed 12,000."

The Vulnerable Underbelly: SMBs and Manufacturing in the Crosshairs

While no organization is immune, the data overwhelmingly shows that cybercriminals are hunting specific prey: small and medium-sized businesses (SMBs) and manufacturers. Companies with up to 200 employees and revenues under $25 million were once again the most frequent victims. This trend is corroborated by broader industry analysis; Verizon's 2025 Data Breach Investigations Report (DBIR) found that a startling 88% of breaches targeting SMBs involved ransomware.

The reason for this focus is a cold, calculated business decision by the attackers. "SMBs are attractive targets for ransomware attacks because they often lack security staff and tools and operate within limited cybersecurity budgets," Noreika explained. "When attacked, they're more likely to pay ransoms quickly to avoid business disruptions, which is why ransomware groups keep targeting them."

The manufacturing industry, in particular, has become a prime hunting ground, accounting for 1,156 incidents, or 19.3% of all attacks in 2025. This represents a 32% increase for the sector year-over-year according to NordStellar, while other security firms like Comparitech reported an even steeper 56% rise in attacks on manufacturers. The pressure on this sector is immense, as any operational downtime can trigger catastrophic financial losses and supply chain disruptions.

"Cybercriminals prioritize choosing targets that offer the biggest payoff for the least amount of effort, and SMBs in the manufacturing industry fit this perfectly," Noreika stated. "They generate enough revenue to pay large ransoms but usually don't have the capacity to implement strong security measures or fast recovery options."

The increasing digitalization of the factory floor, with interconnected machinery and cloud-based operations, has further expanded the attack surface. "Machinery and industrial equipment manufacturers were also heavily targeted — this could be the result of expanded digitalization and remote connectivity in production environments," Noreika added, noting that this interconnectedness raises the risk of lateral compromise through shared networks or third-party vendors.

A Vicious New Breed of Ransomware Gangs

The explosion in attacks is fueled by a burgeoning and highly competitive criminal underworld. The number of active ransomware groups identified by NordStellar grew by 30% in 2025, from 103 to 134. The landscape is dominated by hyper-aggressive players operating within a "Ransomware-as-a-Service" (RaaS) model, where developers lease their malicious software to affiliates in exchange for a cut of the profits.

Leading the pack in 2025 was the Qilin group, which was linked to a staggering 1,066 attacks—a 408% increase from its 2024 activity. It was followed closely by Akira with 947 cases and a resurgent Cl0p leaks with 594. Meanwhile, LockBit, one of 2024's most prolific gangs, saw its activity plummet following successful international law enforcement operations, demonstrating the volatile nature of this ecosystem.

"The changes in the ransomware threat actor landscape reflect how competitive the ransomware-as-a-service world has become," Noreika observed. "Groups like Qilin experienced significant growth because many affiliates joined their operations after other platforms were shut down or became less profitable. Affiliates choose which ransomware to use based on better payment structure, support, the reliability of the tools provided, or reputation of success."

This competitive pressure drives innovation among criminals, who are increasingly weaponizing AI to accelerate intrusions and develop new extortion tactics beyond simple data encryption.

Fortifying the Front Lines Against a Persistent Threat

The United States remains the epicenter of the ransomware crisis, accounting for 3,255 incidents—nearly two-thirds of the global total recorded by NordStellar. It was followed by Canada, Germany, the United Kingdom, and France, highlighting the global scale of the threat.

In response, governments are stepping up their efforts. In the U.S., agencies like the Cybersecurity and Infrastructure Security Agency (CISA) are pushing a #StopRansomware campaign, and new regulations are on the horizon. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), expected to be finalized in 2026, will mandate that critical infrastructure entities report major cyber incidents within 72 hours and any ransom payments within 24 hours.

For businesses on the front lines, experts stress that defense begins with mastering the fundamentals. "The success of end-of-year attacks is concerning — this will likely motivate the ransomware groups to repeat these timing patterns at the end of 2026 as well," warned Noreika.

He advises companies to strengthen their basic security hygiene by consistently updating and patching systems, a critical step given that vulnerability exploitation remains a primary entry point for attackers, as noted in Mandiant's latest M-Trends report. Other essential measures include enforcing strong password policies, implementing multi-factor authentication (MFA), and adopting a zero-trust framework to prevent attackers from moving laterally across a network.

"For early threat prevention and detection, intelligence is key," Noreika emphasized. "An early alert enables organizations to reset passwords, revoke access keys, disable compromised accounts, and support faster incident response."

Ultimately, preparation is the most effective weapon. Having a well-documented and frequently tested incident response plan, along with reliable, offline data backups, can mean the difference between a manageable incident and a catastrophic business failure. As ransomware gangs continue to evolve their tactics and scale their operations, building digital resilience is no longer an option, but an essential cost of doing business in the modern world.