Ransomware Groups Hit All-Time High in 2025, with Victim Growth Rate Doubling and Qilin Dominating

The ransomware problem did not plateau in 2025. It accelerated. A new cybersecurity report has confirmed that the number of active ransomware groups reached an all-time high last year, and more alarming than the group count is what happened to their victim numbers — the growth rate doubled compared to 2024. That is not a marginal uptick. It means the ecosystem of criminal operators extorting businesses, hospitals, schools, and government agencies expanded faster than at any previous point on record. And sitting at the top of that ecosystem, claiming more victims than any other single group, was Qilin.

Who Is Qilin and Why Are They So Effective

Qilin — also tracked under the name Agenda by some security firms — first emerged in 2022 but spent much of its early existence in the shadow of larger groups like LockBit and ALPHV. That changed decisively in 2024 and carried through 2025. The group operates as a ransomware-as-a-service platform, meaning its core developers build and maintain the malware while affiliates handle the actual intrusions and extortion. This model lets Qilin scale its attack volume without proportionally growing its core team, and it gives the group access to a rotating cast of skilled intrusion operators who bring their own target lists and access.

What distinguishes Qilin technically is its ransomware being written in Go, which makes it cross-platform by design. The same core payload can encrypt Windows servers, Linux systems, and VMware ESXi virtual machine environments with relatively minor modifications. For organizations running hybrid infrastructure — which is most large enterprises — that cross-platform capability means a single compromised entry point can result in total environment encryption rather than partial damage. Recovery becomes exponentially harder when every system type is affected simultaneously.

Why the Number of Active Groups Keeps Growing

Law enforcement has had genuine successes against ransomware groups in recent years. The FBI and international partners took down LockBit's infrastructure in early 2024. ALPHV effectively collapsed after its own affiliates turned on the core team following a disputed ransom payment. Yet the overall group count still hit a record high in 2025. The reason is structural: when a major group gets disrupted, its affiliates do not retire. They migrate to competing platforms or spin up new operations using leaked or purchased ransomware builder tools. The barriers to entry keep falling as the underground market for initial access and ransomware tooling matures.

There is also a fragmentation trend worth paying attention to. Rather than a handful of dominant groups controlling most activity — as was the case during the LockBit peak — the 2025 landscape features a larger number of mid-sized groups each running more modest but still damaging operations. This distributed structure makes law enforcement targeting harder. Decapitating one group has less impact on overall victim numbers when thirty other groups are operating in parallel.

The Industries Taking the Hardest Hits

Healthcare remained the most targeted sector by victim count in 2025, a pattern that has held for several years running. Hospitals and health systems are attractive targets for a straightforward reason: the operational pressure to restore systems quickly is higher than in almost any other industry. When patient care systems go down, the pressure on administrators to pay a ransom and recover fast is intense in a way that a manufacturer facing production delays simply does not experience. Qilin in particular has shown a consistent pattern of targeting healthcare organizations, including several high-profile hospital system attacks that disrupted patient care across multiple facilities.

Manufacturing, legal services, and critical infrastructure also saw elevated attack volumes. The legal sector is increasingly targeted because law firms hold sensitive client data — financial records, litigation strategy, personal information — that creates strong leverage for double extortion, where attackers both encrypt files and threaten to publish stolen data unless paid. Many firms have paid quietly rather than face the reputational fallout of a public data leak.

What Organizations Can Actually Do

The honest answer is that there is no single defensive measure that reliably stops a determined ransomware operator with valid credentials and time to move through a network. Phishing-resistant multi-factor authentication closes the most common initial access vector. Network segmentation limits how far an attacker can move after gaining a foothold. Offline backups — genuinely air-gapped copies that ransomware cannot reach — are what separates organizations that pay from organizations that recover. These are not new recommendations, but the gap between organizations that have actually implemented them and those that have not remains stubbornly wide.

The doubling of the victim growth rate in 2025 is a signal that the current state of enterprise cyber defense is losing ground to the current state of ransomware operations. That gap needs to close, and the report's data makes clear that hoping the threat environment improves on its own is not a strategy.