Ransomware Attacks Up 30%: What’s Driving the Surge and How to Stay Off the List

Let’s lead with the number that should make every security team uncomfortable: 2,018 ransomware attacks in a single quarter.

That was Q4 2025. Roughly 22 attacks per day. One every 65 minutes. Not incidents reported to regulators β€” claimed attacks, meaning ransomware groups publicly posted their victims because negotiations failed or they wanted to demonstrate reach. The actual number of successful intrusions is higher.

Compare that to the first three quarters of 2025, where the monthly average was 512 attacks. In Q4, that jumped to 673 per month β€” a 30%+ surge that held into January 2026 with 679 claimed attacks. This isn’t a blip in the data. It’s acceleration.

Who’s Doing the Damage: The Top 5 Groups Right Now

1. Qilin β€” 115 Victims in January Alone

Qilin has emerged as the most prolific ransomware group of early 2026, and they’re not shy about it. In January 2026, they claimed 115 victims β€” a pace that puts them well ahead of any competitor. Their targets span multiple sectors, but critical infrastructure and organizations with high data sensitivity are squarely in scope.

In one documented January attack, Qilin targeted a US Airport Authority, exfiltrating financial documents, NDAs, and travel records. The strategic value of that data β€” useful for competitive intelligence, extortion, and potential resale β€” illustrates why Qilin’s model is effective: they don’t just hold files hostage, they turn stolen data into multi-vector leverage.

2. CL0P β€” 93 Victims and a Dangerous Comeback

CL0P went relatively quiet after law enforcement disruptions in 2023-2024. They’re back. 93 victims in January 2026 signals a deliberate resurgence, likely with rebuilt infrastructure and updated tactics. CL0P is known for exploiting zero-day vulnerabilities in enterprise file transfer software β€” their previous campaigns targeting MOVEit and GoAnywhere affected thousands of downstream organizations.

Watch for CL0P to repeat that playbook: identify a widely-deployed enterprise tool, find an unpatched flaw, and mass-exploit before defenders can react. If you’re running any managed file transfer or enterprise data movement platform, patch cadence matters more than ever.

3. Akira β€” 76 Victims, Manufacturing and Healthcare Focus

Akira has been one of the most consistent operators in the ransomware space, and their January 2026 numbers (76 claimed victims) reflect that consistency. They favor Hyper-V environments and have demonstrated the ability to compromise virtualization infrastructure directly β€” meaning they can encrypt multiple VMs from a single foothold.

Akira also leans heavily into double extortion: encrypt first, but ensure data is staged for exfiltration before triggering the ransom demand. If you don’t pay for the decryptor, they publish the data. The two-pressure approach has proven effective against organizations that might otherwise rely on backups.

4. Sinobi β€” New Entrant, Already Dangerous

Sinobi is a newer group that drew attention in January 2026 with an attack on an India-based IT company. The haul: 150GB of data including direct Hyper-V access credentials, VM images, and backup repositories. That last detail is critical β€” compromising backup infrastructure before deploying ransomware eliminates the victim’s primary recovery option.

The attack illustrates a maturation in technique. Lower-tier groups used to skip backup systems. Modern operators β€” including new entrants like Sinobi β€” have clearly studied what makes victims pay and are targeting recovery infrastructure as a primary objective.

5. The Gentlemen β€” Extortion Without Encryption

The Gentlemen represent an interesting evolution: a group that focuses on data theft and extortion without necessarily deploying encryption. No ransom note, no locked files β€” just a credible threat to publish stolen data unless paid. This approach bypasses the operational complexity of deploying a ransomware payload and avoids some endpoint detection triggers. For defenders, it’s harder to detect because there’s no sudden file modification activity. The first sign is often a demand email.

Why Healthcare Is Ground Zero

Healthcare took 27 confirmed ransomware hits in January 2026 alone. That’s not a coincidence β€” it’s a targeting strategy based on three factors attackers understand well:

1. Willingness to pay. Hospitals face a brutal calculus: patient safety data being inaccessible costs lives. The ethical pressure to restore systems quickly translates into higher payment rates relative to other sectors. Attackers know this.

2. Legacy infrastructure. Healthcare environments routinely run systems that haven’t been patched in years β€” medical devices on unsupported OS versions, DICOM servers, older EHR platforms. Many can’t be taken offline for updates without disrupting patient care. They become persistent footholds.

3. Data value. Medical records are worth more on dark web markets than credit card numbers. A patient record with full identity, insurance, and health history can fetch $50–$250 per record. ManageMyHealth in New Zealand lost 120,000 patient records to the Kazu group in January 2026 β€” the ransom demand was only ~$60K, but the data itself has far greater resale value.

If you work in healthcare IT: you’re not a soft target by accident. You’re a soft target by design, and the groups hitting you have healthcare-specific playbooks.

Manufacturing is the second most targeted sector for similar reasons: high operational pressure to restore production, mixed IT/OT environments that complicate incident response, and supply chain data that has value beyond the immediate victim.

The Economics of Ransomware in 2025-2026

The numbers here are counterintuitive until you understand the incentive structure:

  • Median ransom demand (2025): $1.3 million
  • Median payment (Q2 2025): $400,000 β€” up 100% from Q1 2025
  • Victims who pay: Only 26–32%
  • Victims who negotiate lower: 53%

So most victims don’t pay, and those who do typically negotiate down significantly. Yet ransomware revenue in 2024 was $814 million β€” down from $1.2 billion in 2023 (partly due to law enforcement actions against major groups), but still nearly a billion dollars extracted from organizations in a single year.

The business model works because the volume is high enough that even a low payment rate generates massive revenue. With 2,018 attacks in Q4 2025 alone, even if 28% of those resulted in payment at an average of $300K, that’s over $169 million in a single quarter.

And the protection side reflects how seriously organizations are taking this: the ransomware protection market was $32.6 billion in 2024 and is projected to reach $123 billion by 2034. Every company that pays a ransom is funding both next quarter’s attacks and this decade’s security vendor growth.

Three New Groups You Should Be Tracking

Beyond the established names, three emerging groups represent new threat patterns worth understanding:

Green Blood

Green Blood focuses on organizations in India, Senegal, and Colombia β€” a geographic targeting profile that suggests either regional affiliations or deliberate exploitation of what they perceive as lower-security environments. Their emergence reflects the RaaS model’s geographic expansion; ransomware is no longer primarily a US/Western Europe problem for victims or operators.

DataKeeper

Operating under the CrystalPartnership RaaS banner, DataKeeper uses RSA-4096 encryption β€” which is not breakable through brute force with current computing. If they encrypt your files, you’re not getting them back without either paying, having solid backups, or getting lucky with a law enforcement key release. Their RaaS model means that CrystalPartnership handles infrastructure and tooling while DataKeeper handles targeting and delivery β€” a division of labor that makes both components harder to take down.

MonoLock

MonoLock is technically interesting and operationally dangerous. They use in-memory Beacon Object Files (BOFs) β€” meaning their ransomware payload runs in memory rather than writing to disk, evading many traditional file-based detection mechanisms. Their β€œZero Panel” operational model means they don’t use a centralized command-and-control panel, reducing the infrastructure footprint that law enforcement typically targets. MonoLock is exactly the kind of group that tests the limits of endpoint detection tools that rely on file system monitoring.

The Convergence Driving the Surge

The 30% spike in Q4 2025 isn’t explained by one factor. It’s the collision of several trends that have been building for years:

RaaS ecosystem maturation. There are now 100+ active ransomware groups, many operating as RaaS platforms that reduce the technical barrier to entry. Attackers don’t need to write malware anymore β€” they rent it. This has democratized ransomware operations and produced a crowded market with operators competing on target volume.

AI-enhanced phishing at scale. Phishing has always been the primary initial access vector. AI tools now enable highly personalized phishing emails at scale β€” individual lures crafted from LinkedIn profiles, public records, and company filings, generated in bulk and sent to thousands of targets with minimal human effort. The quality of initial access attempts has gone up while the cost has gone down.

Triple extortion normalization. The evolution: encrypt files (pressure #1), exfiltrate data and threaten publication (pressure #2), launch a DDoS attack against the victim’s infrastructure simultaneously (pressure #3). 74% of 2025 incidents included data theft alongside encryption. The DDoS component adds a third lever β€” even if an organization has good backups and can recover quickly, the DDoS attack disrupts operations while they’re already dealing with the incident.

Edge device targeting. VPNs, firewalls, and load balancers have become preferred initial access points. These devices sit at the network perimeter, are often running outdated firmware, and when compromised provide direct network access without triggering endpoint detection. The Sedgwick Government Solutions attack β€” where TridentLocker encrypted 3.4GB of US federal data β€” and the Brightspeed attack (Crimson Collective claiming 1M+ customer records) both reflect this approach: get in through the edge, move laterally, and maximize impact before detection.

What Actually Reduces Your Risk

This is where a lot of security writing goes vague. Here’s what the data and incident patterns tell us actually works:

MFA on everything external-facing. Not just VPNs and email β€” every application with external exposure. Credential stuffing and phishing-derived credentials are the most common path from initial access to initial foothold. MFA breaks this chain. Phishing-resistant MFA (hardware keys, passkeys) breaks it more reliably than TOTP codes.

EDR with behavioral detection. Traditional antivirus catches known malware signatures. Endpoint Detection and Response (EDR) tools detect behavioral patterns β€” unusual process chains, mass file modifications, in-memory execution patterns (relevant for MonoLock-style attacks). EDR isn’t a guarantee, but it significantly raises the cost of a successful attack and provides the telemetry needed for effective incident response.

Immutable, offline backups. The Sinobi attack that targeted Hyper-V access and backup repositories is a reminder: if your backups are network-accessible from your production environment, they’re part of the attack surface. Immutable backups (write-once, read-many storage) and offline/air-gapped copies eliminate the attacker’s ability to destroy your recovery path. Test restoration regularly β€” a backup you’ve never tested is an assumption, not a recovery plan.

Network segmentation. Lateral movement is how attackers go from a single compromised endpoint to domain-wide ransomware deployment. Segmented networks β€” where workstations can’t communicate directly with servers, where OT networks are isolated from IT, where backup systems are on separate VLANs with no inbound connections from production β€” force attackers to work harder and create more detection opportunities.

Patch VPNs and firewalls on an aggressive schedule. Edge devices running outdated firmware are the single most exploited initial access vector in 2025-2026. Set a policy: critical edge device patches applied within 24-72 hours of release, no exceptions. If a device can’t be patched quickly, implement compensating controls (WAF rules, network restrictions) immediately.

Tabletop exercises that include payment decisions. Organizations that have pre-decided their response posture β€” including the conditions under which they would or wouldn’t pay, who is authorized to make that decision, and what their legal obligations are β€” respond faster and more coherently than those figuring it out under fire. Run through the scenario before you’re in it.

The Inconvenient Math

2,018 attacks in Q4 2025. 673 per month. 22 per day.

If 28% of those victims paid, and the average payment was $300K, that’s roughly $170 million flowing to ransomware operators in a single quarter. That money funds infrastructure upgrades, recruits new affiliates, funds zero-day research, and underwrites next quarter’s attack volume.

The 26% who pay are directly subsidizing the attacks against the 74% who don’t. Every ransom payment is a vote to keep the economics favorable for attackers.

That’s not a moral judgment β€” organizations in crisis make the decisions they have to make. But it is a systems-level observation: the aggregate effect of individual payment decisions is to grow the threat landscape. The only structural counter is making attacks less profitable, which means making them more expensive to execute (better defenses) and less likely to succeed (immutable backups, tested IR plans).

January 2026’s 679 attacks suggest Q4 2025 wasn’t an anomaly. The surge is the new baseline. Plan accordingly.

Sources: Cyble Research Q4 2025 Ransomware Report, BlackFog State of Ransomware 2026, Coveware Ransomware Marketplace Report Q2 2025