Ransomware attacks have surged dramatically in the first half of 2025, with US-based organisations and small to medium-sized businesses shown to be bearing the brunt of the onslaught, according to new data from cybersecurity firm NordStellar.
Between January and June 2025, 4,198 ransomware incidents were exposed on the dark web, marking a staggering 49% increase over the 2,809 cases reported during the same period in 2024.
“We’re only halfway into the year, and the number of ransomware attacks has already doubled,” said Vakaris Noreika, cybersecurity expert at NordStellar. “This trend suggests these attacks remain effective and profitable enough for cybercriminals to intensify their operations.”
The United States remains the prime target of 49% of attacks in the second quarter of 2025. In total, 1,758 ransomware incidents were documented on the dark web – 19% more than in Q2 2024 – across other affected countries including, Germany, Canada, the United Kingdom, and Spain.
“U.S. companies are often higher-profile and potentially more willing to pay ransoms to mitigate reputational damage,” said Noreika. “Strict data protection regulations may also pressure organisations to resolve incidents quickly to avoid hefty fines and the erosion of customer trust.”
SMBs and companies in the manufacturing industry suffer the most successful attacks, as firms often struggle with outdated systems from third-party IT providers and decentralized infrastructure, lacking robust in-house cybersecurity.
The Qilin ransomware group led the list of most active attackers in Q2, accounting for 214 incidents. Safepay and Akira closely followed with 201 and 200 attacks respectively. Safepay, a relatively new player first identified in late 2024, saw a sharp spike in activity during May, with 158 reported incidents.
With cyber threats escalating, Noreika emphasised the critical role of employees in preventing ransomware incidents and advocated for regular training on phishing, multi-factor authentication, and strong password practices.
“A well-rounded cybersecurity strategy is essential,” he added, recommending endpoint protection, dark web monitoring, and regular patching of vulnerabilities. He also stressed the importance of maintaining up-to-date data backups and having a tested recovery plan in place.
“Being proactive is key- companies must assume they could be targeted at any time and prepare accordingly,” said Noreika.
