Security researchers observed a 30% annual increase in ransomware victims listed on extortion sites last year, with AI helping to lower the barrier to entry for new threat groups.
Searchlight Cyber’s new report, Ransomware’s Record Year: Tracking a Volatile Landscape in H2 2025, tracked 7458 victims on dark web leak sites in 2025.
These numbers were split virtually 50:50 between the first and second half of the year. To put the annual growth figure in perspective, victim numbers increased by just 13% between 2023 and 2024.
At the same time, the number of ransomware groups hit a new high of 124, with 73 new groups identified in 2025.
Although Searchlight Cyber describes these as “record” highs, it has only been tracking the market since 2023.
Read more on ransomware: Active Ransomware Groups Surge by 56% in 2024.
It remains to be seen whether these victim numbers translate into a bigger windfall for threat actors.
Chainalysis data for 2024 revealed that payments to ransomware groups fell 35% annually in 2024 as victims increasingly refused to cave in to extortionists’ demands. That’s despite an increase in reported ransomware “events.”
It’s unlikely that this general trend changed in 2025.
AI as a Force Multiplier
That said, there are signs that technological advances are helping adversaries.
Searchlight Cyber claimed that AI is already lowering the barrier to entry for non-specialist groups, by assisting with social engineering, analysis of exfiltrated data, and even ransomware negotiations.
The coders behind the main variants are also using AI tools to refine and adapt their code in order to bypass security defenses, the report claimed.
Searchlight Cyber explained that the main causes of ransomware breaches which organizations must focus on are:
- Insider threats, including current and former employees, contractors and partners
- Process failures, such as inadequate patching, missing multi-factor authentication (MFA), poor log management, and lack of employee security awareness training
- Compromise of legitimate accounts using phishing, brute-force attacks, or credential stuffing
- Exploits of known and unknown vulnerabilities for initial access
- Initial access brokers (IABs) that pounce on remote desktop protocol (RDP) vulnerabilities, compromised virtual private network (VPN) accounts, and unpatched internet-facing servers
Searchlight Cyber head of threat intelligence, Luke Donovan, claimed the ransomware ecosystem remains highly professionalized and effective, despite law enforcement disruption.
“While we saw a very slight dip in victim numbers in the second half of the year, this should not be interpreted as a victory,” he added. “The landscape continues to fragment; large monolithic syndicates are fracturing into smaller, agile cells, and with the number of active groups at an all-time high, the threat landscape has become more complex and difficult to track than ever before.”