Explore more publications!
The UK Consumer
Got News to Share?

Searchlight Cyber Report: Ransomware Groups Claimed Record Number of Victims in 2025 with 30% Annual Increase

New research also reveals the number of active ransomware groups reached an all-time high in the second half of 2025.

PORTSMOUTH, UNITED KINGDOM, February 17, 2026 /EINPresswire.com/ -- Searchlight Cyber has published its latest ransomware report based on dark web intelligence, providing a comprehensive analysis of the ransomware ecosystem throughout 2025. The report, titled “Ransomware’s Record Year: Tracking a Volatile Landscape in H2 2025” reveals that ransomware groups listed a record 7,458 victims on dark web leak sites in 2025, representing a significant 30% increase compared to 2024.

This annual data demonstrates a persistent and growing threat, despite a marginal 0.24% decline in victims in the second half of the year compared to the first. Searchlight researchers also tracked a record-breaking 93 active ransomware groups in H2 alone, with 2025 seeing the highest number of brand-new groups emerging on the dark web.

The research also identified:

● A more complex and fragmented landscape: 2025 saw 124 active groups in total, more than any previous year recorded. 73 new ransomware groups were identified across 2025, with 38 appearing in the second half of the year alone.
● The increasing velocity of victimization: On an annual basis, the growth rate of victims more than doubled, from a 12% increase in 2024 to 30% in 2025.
● The rise of Qilin: Qilin dominated the landscape as the most prolific group, marking a staggering 420% year-over-year increase in victims.
● The emergence of "Supergroups": The report tracks the formation of high-profile collaborations, such as Scattered Lapsus$ Hunters, where threat actors pool specialized talents to scale operations.
● AI as a catalyst: Artificial Intelligence is lowering the barrier to entry, allowing new groups to automate malware development and conduct hyper-personalized social engineering.

Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, commented: “2025 was a record year for ransomware, driven by a professionalized ecosystem that remains devastatingly effective despite increased pressure from global law enforcement. While we saw a very slight dip in victim numbers in the second half of the year, this should not be interpreted as a victory. The landscape continues to fragment; large monolithic syndicates are fracturing into smaller, agile cells, and with the number of active groups at an all-time high, the threat landscape has become more complex and difficult to track than ever before.”

Shifting Tactics and Top Players

The report outlines a shifting leaderboard for the top five most prolific ransomware groups by victim count in H2 2025:
1. Qilin (697 victims)
2. Akira (384 victims)
3. IncRansom (213 victims)
4. Sinobi (180 victims)
5. Play (164 victims)

Qilin surged to the top in the second half of the year from their previous third place spot, with spikes in victims in October and December following an announced coalition with the Dragonforce and LockBit groups. Meanwhile, newcomers like Sinobi have surged into the top rankings within months of their debut, utilizing a disciplined Ransomware-as-a-Service (RaaS) structure.

Searchlight’s analysis highlights that ‘Shadow Exposure’ in third-party software remains a critical vulnerability. Threat actors are increasingly weaponizing vulnerabilities in software supply chains faster than patch cycles can keep up.

The report emphasizes the necessity of preemptive approaches to defend against ransomware, detailing methods to combat the Initial Access Broker (IAB) ecosystem and identify sensitive data in third party ransomware leak files before an attack is deployed.

Luke Donovan commented: “In the high-stakes game of ransomware in 2026, the only way to truly win is to ensure you aren't an eligible target in the first place. Offensive law enforcement operations are vital, but our data shows they cannot be the only solution. Organizations must adopt a preemptive strategy, maintaining visibility and mitigating exposures to neutralize threats before they escalate into full-blown attacks.”

About Searchlight Cyber:

Searchlight Cyber was founded in 2017 with a mission to stop criminals from acting with impunity. With its pioneering Preemptive Threat Exposure Management (PTEM) offering, Searchlight helps organizations identify exposures and neutralize threats before attacks begin. Searchlight unifies leading Attack Surface Management, dark web intelligence, and risk management tools to help organizations separate the signal from the noise and prioritize the threats that matter. It is used by some of the world’s largest enterprises, government and law enforcement agencies, and the managed security service providers at the forefront of protecting customers from external threats.

Sonia Awan
Outbloom Public Relations
soniaawan@outbloompr.net
Visit us on social media:
LinkedIn

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share us

on your social networks:
Facebook Facebook LinkedIn LinkedIn
AGPs

Get the latest news on this topic.

SIGN UP FOR FREE TODAY

No Thanks

By signing to this email alert, you
agree to our Terms & Conditions