Investors are pumping millions of dollars into encryption as unease about data security drives a rising need for ways to keep unwanted eyes away from personal and corporate information — © AFP
Ransomware appears to be on the rise. The first half of 2025 sees 49% spike in ransomware attacks. Overall, the number of ransomware attacks in 2025 has almost doubled compared to last year, with US organizations and SMBs as the primary targets.
The latest data compiled by NordStellar, a threat exposure management platform, reveals that the number of ransomware incidents in 2025 increased by 49% compared to last year. Besides the growing concerns over the significant spike, data from 2025 Q2 also revealed that attackers keep targeting US companies, with small and mediumsized businesses (SMBs) and companies in the manufacturing industry taking the biggest hits.
“The victim profile mirrors the data from 2025 Q1, as SMBs and companies in the manufacturing industry remain the prime targets. This is a significant cause for concern, as bad actors continue to exploit preventable security vulnerabilities successfully,” Vakaris Noreika, cybersecurity expert at NordStellar, tells .
Ransomware appears to be on the rise. The first half of 2025 sees 49% spike in ransomware attacks. Overall, the number of ransomware attacks in 2025 has almost doubled compared to last year, with US organizations and SMBs as the primary targets.
The latest data compiled by NordStellar, a threat exposure management platform, reveals that the number of ransomware incidents has almost doubled compared to last year. In JanuaryJune of 2025, 4,198 ransomware cases were exposed on the dark web, highlighting an alarming 49% increase from the 2,809 cases recorded in 2024.
As Noreika points out: “We’re only halfway into the year, but the number of ransomware attacks has already doubled, signifying that these attacks remain effective and profitable enough for cybercriminals to ramp up their efforts. Some factors that could contribute to the growth in ransomware attacks include the rise in ransomwareasaservice (RaaS), expanded attack surfaces from remote or hybrid work models, and economic uncertainty that could encourage more people to seek illegal income and turn to cybercrime.”
Main targets in 2025 Q2
In AprilJune 2025, 1,758 ransomware cases were exposed on the dark web, a 19% increase compared to the same period in 2024 (1,483 cases). Of the 1,205 ransomware incidents traced to specific victim countries, US businesses took the most brutal hit, accounting for 49% of cases (596 incidents). Germany holds the second spot with 84 cases, followed by Canada (74), the United Kingdom (40), and Spain (37).
“Not only is the US home to many profitable businesses, but the companies also have a higher profile. As a result, they’re more likely to give into ransomware demands to reduce the impact of the reputational damage resulting from an attack”, adds Noreika.
“Strict regulations are also a significant factor to consider — laws on data protection and operational uptime can urge companies to resolve ransomware incidents quickly and not risk the fines or loss of their clients and partners’ trust.”
Ransomware data from April to June 2025 revealed that the manufacturing industry was most affected, with 229 recorded cases. The construction industry came in second with 97 cases, followed closely by information technology (88 incidents).
The data also revealed that small and mediumsized businesses (SMBs) were the prime target for ransomware in 2025 Q2. Organizations with 51–200 employees and revenues between $5 million and $25 million faced the most ransomware attacks.
“The victim profile mirrors the data from 2025 Q1 – SMBs and companies in the manufacturing industry remain the prime targets. This is a significant cause for concern because bad actors continue successfully exploiting preventable security vulnerabilities,” says Noreika.
He explains that companies in the manufacturing industry face challenges enforcing and centralizing security across all geographically dispersed locations and often rely on outdated and unpatched systems. SMBs, like manufacturing companies, often rely on thirdparty IT providers and lack comprehensive cybersecurity measures due to limited budgets, exposing them to greater risk.
Who’s responsible?
The ransomware group Qilin was responsible for the most attacks in 2025 Q2, with 214 incidents. Safepay holds the second spot with 201 incidents, followed closely by Akira (200 incidents).
According to Noreika, Safepay is the newest of the three, with NordStellar first detecting their activity in Fall 2024. Their attacks significantly increased in Q2 and spiked in May, with 158 incidents alone.
Building a ransomwareresistant business
Noreika explains that employees are the first line of defence against ransomware. Cybersecurity training on phishing scams, the importance of multifactor authentication, and password management are essential to minimize the risk of bad actors gaining access to sensitive data or infiltrating the network.
“Aside from raising cybersecurity awareness, companies should also build a comprehensive cybersecurity strategy to detect threats before they escalate. This includes implementing endpoint protection, monitoring the dark web for potential data leaks, and keeping a close eye on the company’s attack surface for unpatched security vulnerabilities,” says Noreika.
To minimize the impact of a potential ransomware incident, Noreika recommends that businesses stay two steps ahead, implement recovery plans, and always back up critical data.
