Encryptionless Extortion on the Rise as Ransomware Groups Shift Techniques
Ransomware attacks continued to climb in 2025 as opponents increasingly timed operations around year-end staffing gaps and shifted far from standard file encryption, according to new research from NordStellar.
The report reveals ransomware occurrences increased 45% from the previous year, climbing up from 6,395 cases in 2024 to 9,251 in 2025. Activity got late in the year, with December accounting for 1,004 incidents, the greatest month-to-month overall recorded over the previous two years. Smaller sized manufacturing organizations were amongst those most regularly targeted.
“In the final quarter of 2025, ransomware groups exploited end-of-year cybersecurity spaces brought on by reduced staffing and tracking,” stated Vakaris Noreika, a cybersecurity professional at NordStellar. “Nevertheless, the pattern has actually been up the whole year.”
Separate analysis from Symantec and Carbon Black’s Risk Hunter Group reported that ransomware stars openly declared 4,737 attacks in 2025, slightly higher than the 4,701 tape-recorded in 2024. When encryptionless extortion incidents were consisted of, overall extortion activity increased to 6,182 attacks, a 23% boost year over year.
Production Sees one of the most Pressure
Manufacturing companies experienced more ransomware activity than any other sector in 2025. NordStellar data programs producing accounted for 19.3% of all ransomware occurrences, with 1,156 attacks taped during the year, a 32% increase from 2024. On the other hand, the education sector represented 3.6% of attacks in 2025.
Smaller firms bore the impact of that activity. Companies with up to 200 staff members and annual profits of $25 million or less were targeted more frequently than larger enterprises.
The U.S. continued to represent the majority of ransomware activity, representing 64% of reported cases worldwide. NordStellar tracked 3,255 attacks against U.S.-based companies, up 28% from the previous year. Canada and Germany also saw sharp increases.
“SMBs are appealing targets for ransomware attacks due to the fact that they often do not have security personnel and tools and run within limited cybersecurity spending plans,” Noreika stated. “Smaller sized organizations are likewise most likely to depend on out-of-date software, have actually restricted security monitoring, and count on external vendors for IT support.”
Ransomware Groups Reshuffle
Modifications in targeting accompanied more comprehensive shifts in the ransomware-as-a-service ecosystem. A number of recognized groups closed down throughout 2025, while more recent operations broadened by soaking up displaced affiliates.
Qilin emerged as the most active ransomware operation, with 1,066 cases, a 408% boost from 2024. Akira followed with 947 cases, up 125% year over year.
RansomHub, which led ransomware activity previously in the year, went offline in April after internal disputes. LockBit had actually already stopped operations following major disturbances in late 2024.
Symantec determined 134 ransomware groups active in 2025, compared to 103 in 2024, a 30% boost.
Extortion Without File encryption
Attack strategies continued to progress as more groups deserted file encryption in favor of pure information extortion.
The Snakefly group, which runs Cl0p ransomware, played a popular role after making use of zero-day vulnerabilities in business software. In October, the group targeted Oracle E-Business Suite users through a crucial vulnerability, CVE-2025-61882. According to Symantec, the vulnerability had actually been exploited considering that August.
Researchers likewise tracked the development of Warlock ransomware, which appears to stem from China instead of traditional ransomware strongholds. Warlock was first observed in June 2025 and gained attention the following month after making use of a zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770.
“The involvement of Chinese espionage stars in ransomware is a growing phenomenon,” Symantec’s report said. “The enemies behind Warlock seem a different type of cybercriminal, where cybercrime is among the group’s core activities and not a sideline.”
Getting ready for 2026
Security researchers say organizations need to assume ransomware pressure will continue to rise.
“Provided the rise in 2025, ransomware events in 2026 are likely to surpass 12,000,” Noreika stated. “Organizations, particularly SMBs and those running in markets where operational downtime is unacceptable, must be on high alert and reassess their preparedness to combat ransomware.”
Security companies continue to suggest standard controls such as regular patching, multifactor authentication, and offline backups to restrict disruption when attacks prosper.
For the complete report, visit the NordStellar website here.