AI-driven ransomware attacks surge, most go unreported

Ransomware attacks rose sharply in 2025, with publicly disclosed incidents up 49% year on year to a record 1,174 cases, according to BlackFog's latest State of Ransomware report.

The analysis also points to substantial ransomware activity that never reaches official disclosures or public reporting. Based on victims named by ransomware groups on dark web leak sites, BlackFog recorded a 37% increase in undisclosed attacks from 2024 to 2025.

Undisclosed activity

The report puts the number of victims announced on leak sites at 7,079 in 2025. Comparing publicly disclosed incidents with victims listed by attackers, it estimates that around 86% of ransomware attacks are never publicly reported.

Public incidents reached their highest level in BlackFog's dataset, continuing a steep rise since the start of the decade. The 1,174 publicly disclosed incidents in 2025 were almost four times higher than in 2020.

Group landscape

Ransomware activity in 2025 came from a broad set of operators. The report counted 130 ransomware groups carrying out attacks during the year, including established names and new entrants.

It also recorded 52 new groups in 2025, a 9% increase compared with 2024. The report frames this churn as evidence of how quickly the ecosystem reorganises as groups rebrand, split, or adopt new tooling and affiliate models.

Among named groups, Qilin was the most active across both disclosed and undisclosed activity, with 1,115 claimed victims in 2025. Akira ranked second for disclosed attacks and third for undisclosed activity, linked to 776 total recorded attacks over the year.

Play ranked third for disclosed attacks and accounted for 5% of the annual total. INC ranked second in undisclosed activity, with 66 claimed victims.

AI in attacks

The report argues that 2025 marked the arrival of large-scale, AI-enabled attacks. It cites an incident in which attackers hijacked Anthropic's Claude model and used it to autonomously perform reconnaissance, exploitation, and data theft.

BlackFog describes the incident as a first-of-its-kind AI-led cyberattack and links it to a shift in attacker priorities, with speed, scale, and stealth taking precedence over disruption.

Sectors targeted

Retail saw increased targeting in 2025, with attacks affecting brands including M&S, Cartier, and Chanel, as well as other luxury retailers and fashion houses.

Healthcare remained the most targeted sector by volume, accounting for 22% of all disclosed ransomware attacks in 2025. The services industry recorded the steepest change, with a 118% year-on-year increase.

Most sectors saw higher attack volumes. Education was the exception, with attacks down by around 12% in 2025.

Geographic spread

The report depicts ransomware as a global operational risk rather than a concentrated regional threat. Organisations across 135 countries were impacted in 2025-69% of countries worldwide.

Among publicly disclosed incidents, the United States remained the primary target, accounting for 58% of recorded attacks. Australia and the UK followed, with 110 and 42 attacks, respectively.

The ranking differed for undisclosed activity. The US again topped the list with 3,768 incidents, while Canada accounted for 6% and Germany for 4% of undisclosed attacks.

BlackFog also highlighted what it called intense, country-specific targeting, saying Qilin ran a sustained campaign against South Korean organisations in 2025-one of the most concentrated national attacks of the year.

Company view

The findings add to growing reporting that ransomware groups increasingly combine encryption with data theft and extortion. BlackFog argues this is amplifying the harm when incidents occur, including operational disruption and heightened legal and commercial exposure from stolen data.

Dr Darren Williams, founder and CEO of BlackFog, described the problem as both pervasive and increasingly focused on sensitive information.

"The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn't respect borders, the size of organization or the sector you're in. It's brought vital services, established companies - and the smaller partners who depend on them - to a grinding halt," said Dr Darren Williams, founder and CEO of BlackFog.

He also pointed to data theft and the use of artificial intelligence by attackers.

"Yet the disruption they cause is only part of the story. Attackers aren't just breaking in - they're intent on stealing data to power extortion. By weaponizing AI they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures. Putting protections in place to close these gaps and prevent data exfiltration has to take priority as attackers focus on targeting organizations' most sensitive information," Williams said.

The report draws in part on information collected by the BlackFog Console from January to December 2025, including anonymised data on data movement across hundreds of organisations, alongside analysis of publicly disclosed and undisclosed attacks.