Black Kite today announced its newest report, 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems. The report found that threats have escalated with more actors, less predictability, and deeper entanglement in supply chains, underscoring an urgent need for organizations to implement intelligence-driven defenses and proactive vendor monitoring.

"Ransomware has evolved, not in sophistication but in strategy," said Ferhat Dikbiyik of Black Kite. "Since the fall of LockBit and AlphaV ransomware syndicates, the cybercriminal landscape has been defined by chaos and recalibration, with dozens of new actors that are unpredictable in how, where, and why.

We are entering a new era of ransomware where the growth in victim count signals more than just an activity surge. There is a deeper shift in how ransomware groups operate and who they target, with small and mid-sized businesses becoming the new front line. As the barriers are now lowered with less sophisticated but effective actors entering the field, organizations need to understand their cyber ecosystem risk by shifting their cybersecurity posture from visibility to anticipation and response to resilience."

Between April 2024 and March 2025, ransomware attacks escalated with unpredictable campaigns across a wide range of industries. As uncovered by Black Kite's Research & Intelligence Team (BRITE), the number of publicly disclosed victims saw a 25% increase from the previous year. This follows a steep rise in the previous period with an 81% surge, amounting to a 123% increase over two years.

The year also saw a noticeable uptick in attacks against small and mid-sized businesses (SMBs) due to their less robust cybersecurity defenses and lower risks of retaliation and a rise in supply chain warfare with attackers focused on third-party vendors, where just one compromised provider can disrupt dozens to hundreds of downstream organizations. These incidents, often called silent breaches, can go unnoticed until their ripple effects halt operations across industries.

Leveraging data and machine learning, Black Kite's Ransomware Susceptibility Index (RSI) proved to be a critical signal. A numerical score between 0.0 and 1.0, with a higher score representing greater susceptibility to a ransomware attack, RSI goes beyond cyber risk metrics and provides a composite score that incorporates technical indicators and intrinsic risk factors. In fact, for those with RSI above 0.8, nearly half (46%) were attacked, and most organizations showed rising RSI trends well before a breach.

The report's key findings include:

Publicly disclosed ransomware victims climbed to 6,046, a 24% increase year over year, and more than doubled since 2023.

52 entirely new groups emerged in the last year, resulting in 96 active ransomware groups.

Under-resourced, understaffed, and underprepared, SMBs ($4M-$8M) were the most frequently targeted.

Ransomware was responsible for 67% of known third-party breaches.

46% of organizations with RSI greater than 0.8 experienced ransomware attacks.

With smaller, less sophisticated operators that often lack the infrastructure to run complex extortion operations, ransom payment values declined by 35%, but the overall impact has widened.

Ransomware is no longer dominated by large syndicates. Today's organizations must contend against smaller groups that have less experience but the same intent—disrupt, extort, and repeat. While the tactics lack the sophistication of their predecessors and the targets are smaller, the volume and unpredictability of this new era of ransomware present a new set of challenges. Organizations must also defend against AI-driven ransomware that enables attackers to bypass existing security systems and could evade detection, like analyzing EDR logs or monitoring incident response communications to adjust ransom demands.

Access the full report here.

Methodology

The findings in this report are the result of a comprehensive year-long investigation conducted by the Black Kite Research & Intelligence Team (BRITE), covering the period between April 1, 2024, and March 31, 2025. The methodology combines continuous monitoring of ransomware operations with detailed victim analysis and dark web intelligence gathering: