January 9, 2026 Ransomware attacks kept rising through 2025 despite high-profile police takedowns, undermining hopes that the threat was finally on the decline, according to a new report from Emsisoft. In its 2025 State of Ransomware in the US report, Emsisoft reveals that trackers monitoring ransomware leak sites logged more than 8,000 claimed victims worldwide in 2025, an increase of over 50% compared with 2023.
Those figures are based on postings to so-called shaming sites such as Ransomware.live and RansomLook.io. This means they only capture cases where attackers publicly named their victims. Emsisoft notes that many organizations likely paid ransoms, restored systems, or stayed silent without ever appearing on a leak site.
The report also shows that the ransomware ecosystem is becoming more crowded and fragmented. The number of active ransomware groups has grown from a few dozen in 2023 to well into the hundreds by the end of 2025. Rather than a small number of dominant brands, the landscape is now made up of many smaller crews that appear, vanish and re-emerge under new names as affiliates shift between operations.
That churn helps explain why major takedowns have not produced a lasting drop in attacks. Disrupting a group’s infrastructure may shut down one operation, but the people behind it often resurface quickly or join another crew.
Even so, a familiar set of ransomware brands continued to dominate leak sites last year. Groups such as Qilin, Akira, Cl0p and Play appeared repeatedly, although Emsisoft cautions against reading those figures as a definitive ranking. Some gangs are far more aggressive about naming and shaming victims than others, which can skew the apparent totals.
The report also highlights a shift in how many ransomware intrusions begin. While software vulnerabilities and exposed services remain important, attackers are increasingly relying on phishing, stolen credentials and other forms of social engineering to gain initial access. Crews linked to Scattered Lapsus$ Hunters, for example, favor tactics that bypass perimeter defenses entirely by targeting people rather than systems.
Emsisoft threat intelligence analyst Luke Connolly said the constant reshuffling of affiliates and the growing reliance on social engineering are key reasons ransomware remains resilient.
“As long as affiliates remain plentiful and social engineering remains effective, victim counts are likely to continue rising,” he said.
The findings suggest that progress against ransomware will remain uneven. While law enforcement actions can disrupt individual groups, the underlying business model, built on reusable skills, interchangeable branding, and human-focused attack methods, continues to sustain growth across the broader ecosystem.
