Ransomware in 2025 reached a historic paradox: law enforcement notched some of its biggest victories against cybercriminals, yet the world endured more attacks, more disruption, and more victims than ever before. Instead of killing ransomware, the takedowns helped transform it—away from a few powerful “brands” and toward a fragmented, industrial-scale ecosystem that is harder to eradicate and increasingly focused on damage rather than profit.
At the same time, separate developments underscored how broad the cyber threat landscape has become. China-linked espionage campaigns reportedly penetrated U.S. government email systems, while an IDHS (Illinois Department of Human Services) breach exposed the data of roughly 700,000 people, highlighting that both state-backed spying and criminal extortion now coexist as routine features of modern geopolitics and public administration.
This article examines how we arrived at a world with 8,000+ ransomware victims in a year, why taking down crime empires did not stem the tide, and what the China–US email hack and IDHS breach tell us about the widening scope of digital risk.
—
The Numbers: A Record-Breaking Year for Ransomware
By every major metric, 2025 was the worst year on record for ransomware:
– 8,000+ claimed ransomware victims worldwide in 2025, up from about 5,400 in 2023—a 53–63% increase in just two years.
– 4,701 confirmed ransomware incidents from January to September 2025 alone, a 34% year‑over‑year jump compared with the same period in 2024.
– By mid‑2025, 520–540 new victims per month were being listed on dark‑web leak sites—about one organization every 90 minutes.
These figures only capture cases that became public or were observed on extortion “shaming” sites. Security researchers and Emsisoft emphasize that many victims never appear in these counts, either because they quietly pay, recover without paying, or choose to keep incidents confidential to avoid reputational harm.
The raw frequency of attempts also climbed into the realm of automation:
– Global estimates indicate thousands of ransomware attacks per day, contributing to a cadence where an attack occurs every few seconds somewhere in the world.
– Projections suggest that, if current trends persist, the pace could reach one attack every two seconds by 2031.
Ransomware is no longer occasional, opportunistic crime. It is a continuous, industrialized process, driven by automated scanning, commoditized access, and specialization across the criminal supply chain.
—
A Fragmented Threat: From Mega-Gangs to Swarms of Crews
One might expect such numbers to reflect unchecked growth of a few giant criminal “brands.” Instead, 2025 told a different story: some of the biggest names were dismantled—yet the total threat expanded.
Reports from Emsisoft, TechRadar Pro, and others highlight several major developments:
– High-profile takedowns and shutdowns: Operations such as BlackSuit, RansomHub, BianLian, and Hunters International were disrupted, dismantled, or went dark in 2024–2025 due to law enforcement campaigns and internal turmoil.
– Explosion in active groups: The number of identifiable ransomware crews increased from around 70 in 2023 to between 126 and 141 by late 2025.
– Shift from dominance to fragmentation: Instead of a small set of dominant gangs, the ecosystem now features dozens of mid‑tier and small operations—Qilin, Cl0p, Play, Akira, Safepay, Everest, INC Ransom and many more—constantly popping up, disappearing, and reappearing under new names.
This is the ransomware paradox in action. Law enforcement destroyed key infrastructures and brands, but not the underlying workforce, skills, or criminal market. Affiliates and developers simply regrouped, rebranded, or moved to new partnerships. The result is an ecosystem that is more chaotic, more distributed, and more resilient to traditional “kingpin” strategies.
In practical terms:
– Takedowns damaged central command-and-control and payment channels, but the people—developers, affiliates, initial access brokers—remained active.
– These actors adopted Ransomware-as-a-Service (RaaS) models, shifting from a corporate-like hierarchy to a loosely coupled marketplace where tools, access, and services are rented or sold.
– The barrier to entry for would‑be attackers dropped, enabling a wave of smaller, less sophisticated but still dangerous crews to join the field.
Rather than a single hydra with a few heads, defenders now face a swarm of smaller hydras, each easier to stand up, harder to track, and readily replaceable.
—
It Pays Less—but Hurts More
Another striking paradox of 2025: attack volumes surged while ransomware became less profitable for criminals.
DeepStrike’s global analysis shows several key economic shifts:
– The ransom payment rate fell to roughly 25–30%, down from about 41% in 2024 and even lower (around 23–25%) in late 2024 and Q3 2025.
– Total ransomware revenue dropped by more than one-third year‑over‑year, despite the rise in attacks.
– At the same time, the average cost of an incident for victims—excluding the ransom—reached $5–6 million, driven by business interruption, forensic investigations, legal expenses, and remediation efforts.
– Organizations faced 24–27 days of downtime on average per successful attack—three to four weeks of disruption, even when no ransom was paid.
This cost asymmetry is central to the new ransomware landscape. On one side, law enforcement, regulation, and better cyber insurance guidance have pushed many organizations away from paying. On the other, attackers compensate by maximizing disruption and data theft, ensuring that each attack, even unpaid, inflicts serious pain.
Key consequences:
– Attackers no longer rely solely on encryption. They pair or replace it with data theft and extortion, threatening to leak sensitive information unless paid.
– The fallback strategy is to inflict lasting operational damage, hoping that even if one victim refuses to pay, the spectacle of disruption will coerce others.
– For targeted organizations, the question “Should we pay?” now competes with “Can we absorb weeks of downtime, legal exposure, and reputational harm?”
In short, while ransomware is less lucrative per incident, it is more destructive per incident, and attackers are increasingly treating disruption itself as leverage.
—
Sectors Under Siege: Healthcare and Critical Infrastructure
Among the sectors hit hardest in 2025, healthcare stands out as a prime target.
BlackFog’s September 2025 snapshot illustrates this clearly:
– In that month alone, there were 85 publicly disclosed ransomware attacks, up 27% from September 2024.
– Healthcare accounted for 26 of those incidents, making it the single most targeted sector.
– Manufacturing ranked second with ten incidents, underscoring that operationally critical industries are at the center of the threat landscape.
Why healthcare?
– Hospitals and clinics operate on thin margins for downtime—every hour of disruption affects patient care, safety, and trust.
– They hold highly sensitive data: medical histories, Social Security numbers, insurance details, and identity documents—valuable both for extortion and resale.
– Many healthcare providers struggle with legacy systems, fragmented IT, and limited cybersecurity budgets, making them relatively attractive targets.
Similarly, manufacturing, education, and government entities have become high-value victims due to their operational dependence on IT and complex, often under-protected environments.
Each attack in these sectors has cascading impacts: canceled surgeries, factory downtime, delayed benefits, compromised student data. This turns ransomware from a purely financial crime into a public safety and public trust issue.
—
Automation and the Criminal Supply Chain
The speed and scale of modern ransomware would not be possible without industrialized automation and specialization.
DeepStrike and other reports outline how the ecosystem now functions:
– Botnets and automated scanners continuously probe the internet for vulnerable systems—unpatched VPNs, misconfigured servers, exposed RDP endpoints.
– Initial Access Brokers (IABs) specialize in obtaining footholds in target networks, then selling that access to ransomware operators and affiliates.
– Ransomware kits, data exfiltration tools, and obfuscation utilities are bought, rented, or subscribed to on underground markets, dramatically lowering the technical bar required to launch an attack.
– Affiliates handle phishing, lateral movement, and deployment, often using playbooks and support from core ransomware developers.
This division of labor means that:
– A relatively inexperienced actor can buy access and tools, then launch credible ransomware campaigns at scale.
– Criminals can pivot quickly when law enforcement targets a particular toolkit or infrastructure, simply switching providers or brands.
– Attack frequency scales almost linearly with available infrastructure—leading to the current thousands‑per‑day cadence and projections of one attack every two seconds within a decade.
In effect, ransomware is becoming a service industry with its own supply chain, making it structurally difficult to dismantle through isolated arrests or infrastructure seizures.
—
Beyond Ransomware: Espionage and the IDHS Breach
While ransomware captured headlines in 2025, it was not the only cyber threat reshaping risk for governments and citizens.
China-Linked Hacking of U.S. Government Emails
SecurityWeek’s “In Other News” coverage highlights a China-linked cyber operation that compromised U.S. government email accounts, adding to a series of strategic espionage campaigns attributed to Chinese state-backed actors.
Although public technical details are limited, the pattern fits broader trends:
– State-aligned groups are increasingly targeting cloud-based email systems and identity infrastructure, seeking sensitive communications and long-term access.
– Such operations aim less at immediate disruption and more at intelligence gathering, diplomatic advantage, and strategic insight into Western policy thinking.
The contrast with ransomware is stark: while criminal groups focus on extortion and disruption, state-backed operators prioritize stealth and persistence. Yet from a defender’s perspective, both often exploit the same weaknesses—identity, misconfigurations, and unpatched software.
IDHS Breach: 700,000 People Affected
The same SecurityWeek roundup notes that a breach at the Illinois Department of Human Services (IDHS) impacted roughly 700,000 individuals, exposing sensitive personal information.
Public reporting indicates that:
– The compromised data likely included names and other personally identifiable information, and potentially health- or benefits-related data, given IDHS’s mission.
– The incident underscores that state agencies, which manage large volumes of citizen data, are increasingly attractive targets for both ransomware crews and data thieves.
Even when a government entity is not hit with ransomware encryption, data‑centric breaches at agencies like IDHS carry serious consequences:
– Long‑term risk of identity theft and fraud for affected individuals.
– Loss of public trust in critical social services.
– Mandatory notification, remediation costs, and potential regulatory scrutiny—burdens similar in scale to ransomware response.
Taken together, the China-linked email hacking and the IDHS breach illustrate a broader reality: cyber risk is no longer confined to private enterprise. It is an integral part of national security, social welfare, and public administration.
—
Why “Taking Down the Bad Guys” Isn’t Enough
The events of 2025 challenge a common assumption in cyber policy: that disrupting major gangs will substantially reduce overall harm.
Evidence from the past two years suggests otherwise:
– Takedowns remove infrastructure, not capacity. Developers, affiliates, and access brokers often evade arrest and rapidly reconstitute under new brands.
– Fragmentation increases resilience. A landscape with 130+ groups is harder to monitor and infiltrate than one dominated by a dozen mega‑gangs.
– Economic incentives adapt. As ransom payments fall, attackers pivot to data theft, multi‑extortion, and highly disruptive operations, keeping the pressure on victims despite reduced revenue.
– Automation amplifies volume. As long as initial access and tooling are commoditized, new entrants can fill any gap left by dismantled groups.
Law enforcement campaigns remain essential, but 2025 shows that they cannot, on their own, suppress ransomware at scale. Instead, they must be part of a broader strategy that includes:
– Hardening of basic cyber hygiene at scale (patching, MFA, segmentation, backup resilience).
– Disruption of the criminal supply chain, including IABs and money laundering networks.
– Regulatory and insurance frameworks that reduce incentives to pay ransoms and mandate minimum security baselines.
– International coordination to tackle both financially motivated groups and state-backed actors targeting email and critical government systems.
Ransomware has evolved from an enterprise-focused extortion scheme into a systemic, global disruption engine. In parallel, espionage and data theft campaigns—whether from state-backed groups or criminal gangs—continue to erode privacy and national security. The events tied together in 2025—8,000+ ransomware victims, China-linked hacks of U.S. government email, and a 700,000-person IDHS breach—are not separate stories, but different faces of the same underlying reality: a digital environment where compromise has become commonplace.
The paradox of 2025 is that law enforcement is winning battles while society is still losing the war. Bridging that gap will require treating cyber risk not as a series of isolated incidents, but as a structural, long-term problem in how we design, operate, and govern the systems that underpin modern life.
—
