Ransomware victims and threat groups have reached an ‘all-time high’

Ransomware victims and threat groups have reached an ‘all-time high’

New annual report from GuidePoint’s Research and Intelligence Team (GRIT) reveals a 40% YoY increase in active threat groups as cybercrime ecosystem evolves.

GuidePoint Security has released the GuidePoint Research and Intelligence Team’s (GRIT) annual Ransomware & Cyber Threat Report.

The report offers exclusive in-depth research, insights and analysis on the evolving ransomware ecosystem, exploring who cybercriminals are targeting (and why), the top tactics threat actors are using and what the future may hold for emerging ransomware groups in 2025.

“The GRIT 2025 Ransomware & Cyber Threat Report reveals the resilience and persistence of the ransomware-as-a-service (RaaS) model, highlighting the difficulty of disrupting it,” said Jason Baker, Lead Threat Analyst, GuidePoint Security.

“From major law enforcement disruptions to group shakeups and new behavior patterns, 2024 was at times a chaotic year for threat actors – yet ransomware activity and new groups continue to proliferate. Well-resourced defenders, active vulnerability management, attack surface awareness and actionable intelligence remain critical to mitigating information security risks in 2025.”

Noteworthy findings from this year’s report include:

  • A record high of ransomware victims, with 1,600+ ransomware victims in Q4 2024 alone—the largest number recorded in a single quarter since the report’s inception.
  • A 40% YoY increase in active threat groups, illustrating a continually developing threat landscape. GRIT identified 88+ total active threat groups in 2024, including 40 newly observed adversaries.
  • An average of 93 ransomware victims were posted per week on the dark web. RansomHub claimed the largest number of victims in 2024, displacing LockBit as the most active ransomware group for the first time since 2021.
  • The United States remains a top geographic target for ransomware attacks. In 2024, more than half (52%) of ransomware victims were based in the US.
  • An average of 110 Common Vulnerabilities and Exposures (CVEs) published per day, underscoring the overwhelming volume and velocity of information which cybersecurity teams are facing. Almost 40,000 CVEs were reported in 2024, a 43% increase from 2023.
  • Nearly 44% of vulnerabilities were rated “High” or “Critical” severity. However, threat actors continue to rely on historical vulnerabilities from preceding years.
  • The Manufacturing industry was most heavily impacted by ransomware, followed by the Technology and Retail/Wholesale industries. Interestingly, despite several high-profile attacks in 2024, the Healthcare sector dropped out of the top three most affected industries by the end of the year.

“Throughout the year, we also witnessed multiple instances of significant international law enforcement operations that dealt heavy blows to various threat actors and their infrastructures,” Baker said.

“While the fight is far from over, the enduring effects of these law enforcement campaigns suggest that we’re developing more effective and sustainable strategies to combat our adversaries—and we anticipate continued progress in 2025.”

The report also explores the impacts of ransomware on critical infrastructure, examines threat actor deception and misinformation efforts in 2024 and examines major ransomware events throughout the year, including the continued fallout from Operation Cronos.

Browse our latest issue

LATAM English

View Magazine Archive