- Comparitech Stack Report
- Posts
- Ransomware attacks and trends from 2025
Ransomware attacks and trends from 2025
Taylor Hawes
January 21, 2026
From the Editor’s Desk
Cyber risk is now a board-room topic in both business and government. With ransomware attacks rising faster than many defenders expected, leaders must weigh investment in prevention, response, and recovery capability. The real question for 2026: are organizations acting early enough?
🔎 Deep Brief
Ransomware attacks and trends from 2025
Ransomware continued to grow in 2025 with more than 7,400 attacks recorded worldwide, a roughly 32 percent increase from 2024. Confirmed incidents alone accounted for more than 1,100 events and nearly 60 million records exposed. Businesses were the most targeted group, followed by government and healthcare. Manufacturing saw a dramatic rise in attacks and average ransom demands soared, more than doubling from the previous year. Legal firms also faced significantly more threats and higher ransom demands. The most prolific ransomware groups included Qilin, Akira, Clop, Play and SafePay. The United States remained the top targeted country, with over half of all attacks recorded there. Though average ransom demands across all attacks fell compared with 2024, attackers still extracted large amounts of data, with tens of petabytes claimed stolen overall. These figures indicate that ransomware remains a persistent threat with shifting sectoral focus and evolving actor behavior.
Takeaway
Attack volume keeps rising even as average ransom demands dip, underlining that attackers are focused on broad impact, not just big payoffs.
🧠 Strategy in Action
AI-driven cybersecurity for USAF networks
General Dynamics Information Technology (GDIT) has been awarded a $120 million task order to deploy an artificial intelligence-enabled cybersecurity platform across 187 US Air Force bases globally. The solution is part of the Air Force’s Next Generation Gateway programme and uses a zero trust digital architecture designed to protect data at all classification levels. The initiative will cover more than one million users worldwide and includes automated threat detection and response capabilities.
Zero trust means that every user and device must be continuously authenticated before being granted access to any network resource. This move aligns with the Department of Defense mandate to implement zero trust controls across its enterprise by 2027. The project shows how large organisations with complex networks can use AI and zero trust principles to increase resilience against increasingly sophisticated adversaries.
Takeaways:
Large, complex organizations can apply zero trust at scale when it is paired with AI-driven monitoring and automated response. Continuous verification of users and devices, rather than perimeter-based trust, is becoming the standard model for defending mission-critical networks.
🕵️ Threat Actor Spotlight
Molerats Group
Molerats is a threat group known for politically-motivated operations, active since at least 2012. The group’s activity spans the Middle East, Europe, and the United States. Its campaigns often use phishing, malicious scripts, and tools to gain initial access and persistence. Tactics include delivery of malicious attachments or links, use of scripting interpreters like PowerShell, and collection of credentials from local systems. The group employs a range of techniques to maintain a foothold in compromised environments and gather information from victims. Analysts classify Molerats as a persistent, adaptable actor with a focus on targeted intelligence collection.
🛠️ Tool Check
Self-service password reset tools review
Comparitech’s review of self-service password reset tools compares several solutions that help organizations reduce help desk load and improve security. These tools allow users to reset forgotten passwords securely without IT staff involvement. They typically include options such as multi-factor verification, self-enrolment portals, and integration with directories like Active Directory.
Strong features to look for include risk-based authentication, support for mobile devices, and audit logging. Some tools provide advanced security checks such as biometric verification or one-time codes via email or SMS. These features help reduce account lockouts and support stronger identity management across enterprise environments.
🗣️ Community Signal
Globally we’re facing a fact: our cyber analysts are overwhelmed by threat. They are overwhelmed by complexity and volume. You know that we are every day facing new type of attacks, but also a lot of volumes, a lot of very high, intensive attacks. So AI would be one of the key technologies to help our cyber analysts. For example, as a kind of new type of attack, we have more and more, you know, machine speed attacks. So you know, everybody knows about ransomware. Ransomware is not new, but the number of ransomware is increasing. But there are also other type of machine speed attacks. So we definitely need to have AI embedded into cybersecurity to face this machine speed attack. Luis Delabarre.
📚 Don’t Miss This
|
Until Friday’s edition - Let’s keep that zero-day count at zero!