SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Moody server room ransomware central red rack broken padlock
#
Malware
#
Ransomware
#
Advanced Persistent Threat Protection

Ransomware hits record high as Qilin tops threat list

Sat, 17th Jan 2026
Author image
By Sofiah Nichole Salivio, News Editor

GuidePoint Security has reported a sharp rise in ransomware activity, with victim counts and the number of active threat groups reaching record levels during 2025.

The company's GuidePoint Research and Intelligence Team, known as GRIT, said its annual ransomware and cyber threat report recorded a 58% year-on-year increase in ransomware victims. The findings draw on public sources, vendor research, internal incident response case data and open-source intelligence from illicit forums and marketplaces.

GRIT said ransomware victim numbers reached a new high in the final quarter of 2025. The team recorded 2,287 ransomware victims posted in that quarter. It described that as the largest number recorded in a single quarter since the report began.

Group numbers

The report also described a more crowded threat landscape. GRIT counted 124 distinct ransomware groups active in 2025. It said that figure marked the highest on its records and represented a 46% year-on-year increase.

Jason Baker, Lead Threat Analyst at GuidePoint Security, linked the activity levels to changes in the ransomware-as-a-service ecosystem and the way groups operate after disruptions.

"The GRIT 2026 Ransomware & Cyber Threat Report shows the most active year for ransomware we've ever recorded, revealing a 58% year-over-year increase in ransomware victims," said Jason Baker, Lead Threat Analyst at GuidePoint Security. "While law enforcement disruptions have reshaped the Ransomware-as-a-Service (RaaS) ecosystem, group fragmentation is driving new patterns of high-volume, repeatable operations, pushing overall activity to record-breaking levels. The rise of Qilin as the most active group we've ever tracked - surpassing even LockBit at its peak - underscores how the ecosystem is evolving. For organizations, well-resourced defenders, proactive vulnerability management and real-time threat intelligence will be critical for mitigating risk in the year ahead."

US focus

GRIT said the United States remained the top geographic target for ransomware attacks in 2025. More than half, or 55%, of ransomware victims were based in the US, according to the report.

The report highlighted a shift among leading ransomware groups. GRIT said a new ransomware-as-a-service leader had emerged and pointed to Qilin as the most active group it observed during 2025. The firm said Qilin's activity levels ranked higher than any other group it had tracked previously.

GRIT framed that shift as part of broader changes in the ecosystem. The report described fragmentation among groups and a pattern of repeatable operations. It said those changes increased overall volume even as international operations disrupted elements of the ransomware supply chain.

Industry impact

The report also ranked industries by share of attacks. GRIT said Manufacturing accounted for 14% of attacks, which made it the most heavily impacted sector in its dataset. Technology followed with 9%, and Retail and Wholesale accounted for 7%.

GRIT also said recent activity suggested that elevated levels would continue into 2026. It described December 2025 as the most active month on record for claimed ransomware victims, with 814 successful attacks. GRIT said that represented a 42% year-on-year increase.

Baker said coordinated international action had affected how ransomware groups operate. He described pressure on infrastructure and services that groups rely on.

"International law enforcement operations throughout 2025 applied sustained pressure across the ransomware ecosystem, disrupting core services that many groups rely on to operate," said Baker. "While threat actors continue to adapt, these coordinated actions are raising the cost of doing business for ransomware operators and reinforcing the importance of collective, cross-border efforts in shaping a more resilient security landscape."

Methods and tools

Beyond volume and group changes, the report outlined several themes that feature in current investigations and threat research. It explored the use of AI in ransomware attacks. It also examined the impact of zero-day vulnerabilities in ransomware incidents.

GRIT also stated that it had conducted a detailed review of key operators throughout the year. The report included an analysis of ransomware payments made to the Qilin and Akira groups.

GuidePoint Security operates as a cybersecurity services provider and adviser. The company said its work spans incident response and security programmes for thousands of organisations across various industries, including US government agencies. GRIT noted it expects high levels of ransomware activity to persist through 2026.

Related stories
Andrea Gwynn honoured in Marquis Who’s Who listing
Object First triples growth on ransomware-proof backups
Telehouse Europe appoints Chris Lamb as Enterprise Director
Study finds 28,000 fake domains mimic top websites
Bitsight unveils dark web tool to secure supply chains

Top stories

Gigamon named 2026 public sector observability leader
FDATA appoints Kat Cloud to strengthen open finance security
SmarterMail flaw exploited in China-linked ransomware push
Hackers ditch noisy ransomware for stealthy data theft
CodeHunter pushes behavioural malware checks upstream