Ransomware Attacks Surge by 49% in 2025, Targeting SMBs

Ransomware attacks have surged dramatically in 2025, with a staggering 49% increase noted in the first half of the year. Data compiled by NordStellar, a threat exposure management platform, indicates that the total number of ransomware incidents has nearly doubled compared to 2024. In the first six months of this year, there were 4,198 ransomware cases reported on the dark web, significantly up from 2,809 in the previous year.

This alarming rise in cybercrime predominantly affects small and medium-sized businesses (SMBs) in the United States, where they accounted for 49% of all cases in the second quarter of 2025. The manufacturing sector also faces substantial risks, highlighting the urgent need for robust cybersecurity measures.

Key Trends and Victim Profiles

The data reveals that from April to June 2025, the number of ransomware cases reached 1,758, marking a 19% increase from the same period in 2024. Among the 1,205 incidents traced to specific countries, US businesses suffered the most, with 596 incidents. Germany followed with 84 cases, while Canada, the United Kingdom, and Spain reported 74, 40, and 37 cases, respectively.

According to Vakaris Noreika, a cybersecurity expert at NordStellar, “The victim profile mirrors the data from 2025 Q1, as SMBs and companies in the manufacturing industry remain the prime targets. This is a significant cause for concern because bad actors continue to exploit preventable security vulnerabilities.”

The manufacturing sector recorded 229 incidents in Q2, with the construction industry at 97 and information technology at 88. SMBs, particularly those with 51 to 200 employees and revenues ranging from $5 million to $25 million, have become the primary targets.

Noreika emphasizes that these businesses often struggle to maintain comprehensive cybersecurity measures due to limited budgets and reliance on outdated technology. “They frequently depend on third-party IT providers and lack the resources to implement effective security protocols, making them vulnerable to attacks,” he noted.

Attackers and Response Strategies

The ransomware group Qilin emerged as the most active perpetrator in Q2 2025, responsible for 214 incidents. Following closely were Safepay with 201 incidents and Akira with 200. Noreika mentions that Safepay, which was first detected by NordStellar in Fall 2024, significantly ramped up their activities in May 2025, accounting for 158 attacks alone.

To combat this growing threat, Noreika advises businesses to prioritize cybersecurity training for employees. “Educating staff about phishing scams, the importance of multi-factor authentication, and effective password management is crucial in reducing the risk of unauthorized access to sensitive data,” he stated.

Additionally, companies are encouraged to develop comprehensive cybersecurity strategies that include threat detection systems, monitoring for potential data leaks on the dark web, and constant assessments of their attack surfaces for unpatched vulnerabilities.

To mitigate potential ransomware impacts, businesses should implement recovery plans and ensure that critical data is regularly backed up. “Staying two steps ahead is vital in today’s cyber landscape,” Noreika concluded.

The rise in ransomware attacks underscores the pressing need for organizations, particularly SMBs, to bolster their cybersecurity measures and adapt to an evolving threat landscape.