Ransomware Surge in 2025: Alarming Spike in Attacks Despite Gang Shutdowns

Rising Cyber Threats in 2025: A Warning to Global Organizations

A fresh wave of ransomware attacks is shaking up the cybersecurity world in 2025, as new data from Comparitech highlights an astonishing 47% surge in incidents compared to the same period in 2024. With over 3,600 attacks logged in just the first half of the year, the digital threat landscape is growing at an alarming pace. Ironically, this spike is occurring even as some of the most notorious ransomware gangs, such as Hunters International and Lockbit, have recently ceased operations.

Cybersecurity leaders and researchers are urging businesses across all industries to double down on cyber hygiene practices. Their message is loud and clear: even with some ransomware groups closing shop, the tactics are evolving and becoming more dangerous than ever before. As extortion-focused threats take center stage, visibility, preparation, and rapid response are now the pillars of organizational defense.

Explosive Growth in Ransomware Attacks

In the first half of 2025, a staggering 3,627 ransomware incidents were reported globally, marking a 47% increase from the same timeframe in 2024. The scale and frequency of these attacks are sending shockwaves across industries, with technology, retail, legal, transportation, and manufacturing sectors taking the brunt of the hit. In contrast, the utilities sector surprisingly saw a decline of 31%, an anomaly in the otherwise upward trend.

Rebecca Moody, head of data research at Comparitech, warned that this steep rise should not come as a surprise but rather as a wake-up call. Her emphasis on foundational practices like regular updates, patching vulnerabilities quickly, backing up systems, and preparing incident response plans echoes the timeless advice that many organizations still struggle to implement fully. She also highlighted the crucial role of staff training in mitigating human error — a common entry point for attackers.

Supporting Moody’s view, Forescout’s head of research, Daniel Dos Santos, pointed out that the threat landscape isn’t just growing — it’s mutating. Techniques like EDR bypasses, ClickFix attacks, and even launching encryptors from IP cameras are now part of the cybercriminal toolkit. Moreover, there’s a growing focus on data theft (exfiltration) rather than encryption, enabling criminals to demand ransoms without even locking down systems.

Perhaps more disturbing is that these innovations persist despite increasing law enforcement crackdowns. Cybercrime gangs continue to adapt, showing a worrying level of technical sophistication and strategic planning. Dos Santos stresses the importance of network-wide visibility and threat detection, especially as devices multiply across organizational ecosystems.

Adding further complexity to the situation, some of the most dangerous ransomware groups have recently disbanded. Hunters International, known for high-profile attacks on Tata Technologies, Fred Hutchinson Cancer Center, and ICBC, has voluntarily shut down operations — or so it claims. The group even promised to release free decryption tools for past victims, though it’s uncertain how many victims actually suffered encryption-based attacks.

However, security experts are skeptical. Dray Agha from Huntress points out that this “shutdown” might be little more than a strategic rebrand. In fact, Hunters International is believed to have transformed into a new group called World Leaks, which focuses purely on data theft and extortion without bothering with encryption. This model offers lower risks and faster payoffs for attackers, shifting the dynamics of ransomware altogether.

Meanwhile, Lockbit, one of the most prolific ransomware gangs, was forcibly dismantled in 2024 during a coordinated international operation. Their takedown was celebrated as a rare win for global cybersecurity, but their absence hasn’t slowed the overall rise in attacks. Instead, newer groups are emerging, often with more cunning strategies and updated tools.

Despite the shutdowns of big players, the number of compromised records tells a grim story. More than 17 million records were breached across 445 confirmed attacks in just six months, exposing not only organizational data but also sensitive personal information.

The evolving nature of these threats demands a new level of readiness. Traditional defenses like backups and antivirus solutions are no longer sufficient. Organizations need advanced detection capabilities, around-the-clock monitoring, identity protection, and proactive employee education to stay ahead of the curve.

What Undercode Say:

The Illusion of Progress Amid Escalating Chaos

The ransomware ecosystem is far from weakening — it’s shifting gears. While headlines about group shutdowns might suggest progress, the data reveals a darker truth. The 47% year-over-year spike in attacks during the first half of 2025 is not just a statistic; it’s a signal that cybercriminals are getting smarter, faster, and bolder.

Hunters International’s so-called shutdown is a textbook example of deceptive optics. Far from dissolving, the group appears to be pivoting into a new brand — one with streamlined objectives and stealthier tactics. Moving away from encryption to “steal-only” extortion reflects a broader industry shift. Encrypting systems and negotiating decryption is riskier and slower compared to simply stealing data and demanding hush money. This evolution not only increases payout speed but makes it harder for authorities to track and shut down operations.

Lockbit’s forced takedown, while symbolically powerful, did not curb the broader trend. The void left by such major players is being filled quickly by emerging groups that are more agile and technologically advanced. These newcomers don’t rely on traditional malware techniques. They’re leveraging new exploits, bypassing EDR systems, and even weaponizing devices like IP cameras to deploy malware — a tactic previously thought too unconventional.

The shift in target industries also deserves scrutiny. The 88% increase in technology-related attacks indicates that even tech companies — which should theoretically have robust security — are vulnerable. Retail and legal industries, which handle vast amounts of customer and client data, saw similarly sharp spikes. This demonstrates that attackers are increasingly data-driven in their targeting, choosing sectors where the financial and reputational cost of exposure is highest.

The fact that more than 17 million records were compromised underscores the sheer scale of damage ransomware can inflict, not just on businesses, but also on individuals. These records can lead to identity theft, fraud, and long-term reputational damage — making data exfiltration a potent weapon in a hacker’s arsenal.

Despite the proliferation of threats, many companies still rely on outdated cybersecurity practices. Reactive strategies like relying solely on backups or patching known vulnerabilities after detection are no longer viable. What’s required now is a paradigm shift — proactive cybersecurity, where threat anticipation and real-time detection become the standard.

Employee training, previously treated as an afterthought, must now take center stage. Human error remains a dominant cause of breaches. Regular phishing simulations, awareness campaigns, and role-based access control can drastically reduce an organization’s risk exposure.

Lastly, cybersecurity must become a boardroom issue. It’s no longer just an IT concern. The financial, legal, and reputational consequences of ransomware attacks require executive-level attention and budget allocation. Organizations that fail to recognize this shift are not just risking data — they’re risking their future.

🔍 Fact Checker Results:

✅ 47% increase in ransomware attacks confirmed by Comparitech for H1 2025
✅ Hunters International and Lockbit have shut down, but with caveats around rebranding
❌ No evidence that ransomware threats are declining despite gang closures

📊 Prediction:

Expect a sharp rise in extortion-only attacks in the second half of 2025 as more ransomware gangs abandon encryption in favor of data theft. With technological innovations and increased automation, threat actors will likely focus on stealth over brute force, targeting industries with weak network visibility and high-value data. The illusion of safety from gang shutdowns will quickly dissolve as new groups emerge with faster, smarter tactics.