Ransomware Groups Are Multiplying, Raising the Stakes for Defenders

The threat landscape is shifting rapidly, with ransomware activity experiencing a significant surge in recent months. A new mid-year report from Searchlight Cyber reveals that the number of victims and the number of groups launching attacks are on the rise.

According to the report, between January and June, ransomware groups listed 3,734 victims on their public extortion sites. This represents a 20% increase over the last half of 2024 and a 67% jump compared to the same period last year. The growth in ransomware activity has been steady since early 2023, driven by the rise of the Ransomware-as-a-Service model.

This model allows core groups to expand their reach without handling every attack themselves. By letting affiliates rent ransomware tools, these groups can increase their reach and reduce the risk associated with each individual attack. Most of the top five ransomware groups in the report operate under this model, which helps explain why the number of victims continues to grow even when individual groups go quiet or shut down.

The report tracked 88 active ransomware groups in the first half of 2025, up from 76 in late 2024. Of these, 35 were entirely new groups with no previous activity. This constant turnover makes it hard for defenders to track threats and attribute attacks to specific threat actors.

Groups often break apart, merge, or rebrand, and affiliates frequently switch from one group to another. Even when a group disappears, its members rarely leave the ransomware world for good. The report highlights that these shifts are happening faster, which increases the complexity of defending against attacks and attributing them to specific threat actors.

"The shifting landscape is also affecting the way ransomware attacks play out," said Luke Donovan, Head of Threat Intelligence at Searchlight Cyber. "Ransomware groups have identified that the effectiveness of encrypting a victim's content is no longer as effective as it once was. Improved backup and restoration capabilities are having an impact on the battle."

Donovan added that while this is an evolution rather than a complete change, it reinforces the need for strong detection capabilities. "The shift in how organizations deal with this changing ransomware TTP has not been seismic," he said. "Double extortion ransomware attacks have always had an onus on exfiltration. Nevertheless, it does emphasize the ongoing requirement to continuously monitor for early detection of initial access, lateral movement, and the exfiltration of content."

The Rise of Initial Access Brokers

Another key factor contributing to the surge in ransomware activity is the rise of Initial Access Brokers (IABs). These individuals sell network access on underground forums, allowing ransomware groups to bypass the time and effort required to gain initial entry on their own.

"In February, an initial access broker posted onto a hacking forum access to an organization named Alcott HR Group," said Donovan. "Eighteen days later, the Play ransomware group posted onto their extortion site the victim identified in the hacking forum post."

The Impact on Defenders

"With proactive monitoring it may have been possible to have picked up the post, an investigation could have been conducted, and security measures implemented, thus reducing the likelihood of a ransomware attack or any unauthorized access from occurring," said Donovan. "Intelligence on initial access broker activity enables indicators and warnings to be identified. This helps pre-empt, detect, or disrupt threat actors earlier, breaking the cyber kill chain as early as possible and reducing the likelihood of the threat actor achieving their objective."

The Importance of Patching

Many of the most active ransomware groups continue to rely on unpatched vulnerabilities to gain initial access to target networks. The report lists several major vulnerabilities exploited this year, including those affecting popular enterprise software and network devices.

"These vulnerabilities are often leveraged quickly, sometimes before patches are released," said Donovan. "That speed puts extra pressure on security teams to identify exposed systems and patch them as fast as possible."