Encryptionless Extortion on the Rise as Ransomware Groups Shift Tactics
Ransomware attacks continued to climb in 2025 as attackers increasingly timed operations around year-end staffing gaps and shifted away from traditional file encryption, according to new research from NordStellar.
The report shows ransomware incidents increased 45% from the previous year, climbing from 6,395 cases in 2024 to 9,251 in 2025. Activity picked up late in the year, with December accounting for 1,004 incidents, the highest monthly total recorded over the past two years. Smaller manufacturing organizations were among those most frequently targeted.
"In the final quarter of 2025, ransomware groups exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring," said Vakaris Noreika, a cybersecurity expert at NordStellar. "However, the trend has been upward the whole year."
Separate analysis from Symantec and Carbon Black's Threat Hunter Team reported that ransomware actors publicly claimed 4,737 attacks in 2025, slightly higher than the 4,701 recorded in 2024. When encryptionless extortion incidents were included, total extortion activity rose to 6,182 attacks, a 23% increase year over year.
Manufacturing Sees the Most Pressure
Manufacturing organizations experienced more ransomware activity than any other sector in 2025. NordStellar data shows manufacturing accounted for 19.3% of all ransomware incidents, with 1,156 attacks recorded during the year, a 32% increase from 2024. In contrast, the education sector accounted for 3.6% of attacks in 2025.
Smaller firms bore the brunt of that activity. Companies with up to 200 employees and annual revenue of $25 million or less were targeted more often than larger enterprises.
The U.S. continued to account for the majority of ransomware activity, representing 64% of reported cases worldwide. NordStellar tracked 3,255 attacks against U.S.-based organizations, up 28% from the prior year. Canada and Germany also saw sharp increases.
"SMBs are attractive targets for ransomware attacks because they often lack security staff and tools and operate within limited cybersecurity budgets," Noreika said. "Smaller organizations are also more likely to rely on outdated software, have limited security monitoring, and rely on external vendors for IT support."
Ransomware Groups Reshuffle
Changes in targeting coincided with broader shifts in the ransomware-as-a-service ecosystem. Several established groups shut down during 2025, while newer operations expanded by absorbing displaced affiliates.
Qilin emerged as the most active ransomware operation, with 1,066 cases, a 408% increase from 2024. Akira followed with 947 cases, up 125% year over year.
RansomHub, which led ransomware activity earlier in the year, went offline in April after internal disagreements. LockBit had already ceased operations following major disruptions in late 2024.
Symantec identified 134 ransomware groups active in 2025, compared to 103 in 2024, a 30% increase.
Extortion Without Encryption
Attack techniques continued to evolve as more groups abandoned file encryption in favor of pure data extortion.
The Snakefly group, which operates Cl0p ransomware, played a prominent role after exploiting zero-day vulnerabilities in enterprise software. In October, the group targeted Oracle E-Business Suite users through a critical vulnerability, CVE-2025-61882. According to Symantec, the vulnerability had been exploited since August.
Researchers also tracked the emergence of Warlock ransomware, which appears to originate from China rather than traditional ransomware strongholds. Warlock was first observed in June 2025 and gained attention the following month after exploiting a zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770.
"The involvement of Chinese espionage actors in ransomware is a growing phenomenon," Symantec's report said. "The attackers behind Warlock appear to be a different breed of cybercriminal, where cybercrime is one of the group's core activities and not a sideline."
Preparing for 2026
Security researchers say organizations should assume ransomware pressure will continue to rise.
"Given the surge in 2025, ransomware incidents in 2026 are likely to exceed 12,000," Noreika said. "Businesses, especially SMBs and those operating in industries where operational downtime is unacceptable, should be on high alert and reassess their preparedness to combat ransomware."
Security firms continue to recommend basic controls such as regular patching, multifactor authentication, and offline backups to limit disruption when attacks succeed.
For the full report, visit the NordStellar site here.