Ransomware Victims and Threat Groups Surge to Record Levels, GuidePoint Security Finds

New Annual Report from the GuidePoint Research and Intelligence Team (GRIT) Reveals a 58% YoY Increase in Ransomware Victims as Record Activity Becomes the New Norm

RESTON, Va.–(BUSINESS WIRE)–#cybersecurity—GuidePoint Security, the cybersecurity advisor and services partner organizations rely on to protect what matters most, announced today the release of the GuidePoint Research and Intelligence Team’s (GRIT) annual Ransomware & Cyber Threat Report.

The GRIT 2026 Ransomware & Cyber Threat Report provides exclusive in-depth research, insights and analysis on a year of record-breaking ransomware activity, examining who cybercriminals are targeting (and why), the top tactics threat actors are using and how shifting ransomware group dynamics are redefining the threat landscape.

“The GRIT 2026 Ransomware & Cyber Threat Report shows the most active year for ransomware we’ve ever recorded, revealing a 58% year-over-year increase in ransomware victims,” said Jason Baker, Lead Threat Analyst at GuidePoint Security. “While law enforcement disruptions have reshaped the Ransomware-as-a-Service (RaaS) ecosystem, group fragmentation is driving new patterns of high-volume, repeatable operations, pushing overall activity to record-breaking levels. The rise of Qilin as the most active group we’ve ever tracked — surpassing even LockBit at its peak — underscores how the ecosystem is evolving. For organizations, well-resourced defenders, proactive vulnerability management and real-time threat intelligence will be critical for mitigating risk in the year ahead.”

Findings from this year’s report include:

• Ransomware victim numbers hit a new all-time high. 2,287 ransomware victims were posted in Q4 2025 alone — the largest number recorded in a single quarter since the report’s inception.
• The number of threat groups has reached record levels. 124 distinct ransomware groups were active in 2025, the highest ever recorded and a 46% year-over-year increase.
• The United States remains a top geographic target for ransomware attacks. In 2025, more than half (55%) of ransomware victims were based in the U.S.
• A new RaaS leader has emerged. Qilin’s activity levels in 2025 were the highest of any group ever observed.
• The Manufacturing industry was most heavily impacted by ransomware, accounting for 14% of attacks. The Technology (9%) and Retail/Wholesale (7%) industries followed closely behind.
• High ransomware activity levels should continue in 2026. December 2025 was the most active month for claimed ransomware victims on record with 814 successful attacks — a 42% year-over-year increase.

“International law enforcement operations throughout 2025 applied sustained pressure across the ransomware ecosystem, disrupting core services that many groups rely on to operate,” Baker added. “While threat actors continue to adapt, these coordinated actions are raising the cost of doing business for ransomware operators and reinforcing the importance of collective, cross-border efforts in shaping a more resilient security landscape.”

The report also explores the growing use of AI in ransomware attacks, examines the impact of zero-day vulnerabilities on ransomware and takes an in-depth look at major ransomware operators throughout the year, including an analysis of ransomware payments made to the Qilin and Akira groups.

The GRIT 2026 Ransomware & Cyber Threat Report is based on data obtained from publicly available resources, vendor threat research, internal incident response case data and open-source intelligence collected from illicit forums and marketplaces.

For more information:

• Download the The GRIT 2026 Ransomware & Cyber Threat Report
• Register for GRIT’s upcoming webinar
• Read our blog
• Explore more GRIT reports and other resources

About GuidePoint Security

GuidePoint Security helps organizations overcome the most complex cybersecurity challenges, mature their security posture, minimize risk and ensure compliance. As a trusted cybersecurity advisor and partner, GuidePoint keeps people, data, and operations safe. We deliver tailored cybersecurity services and offerings that adapt and scale to safeguard the nation’s leading organizations today, while preparing them to confidently face tomorrow’s cyber challenges. More than 6,000 organizations of all sizes and across every industry, as well as over half of U.S. cabinet-level agencies, rely on GuidePoint to strengthen their defenses and reduce risk.

Stronger Together. Protecting What’s Next. Learn more at guidepointsecurity.com.

Contacts

Nicole Lavella

[email protected]
703-403-7066