RESEARCH

Ransomware Set a 2025 Record -- Trackers Split From 7,079 to 8,159 Victims

Five independent ransomware trackers -- Comparitech, NCC Group, Breachsense, Picus Security, and BlackFog -- all confirm 2025 was a record year for ransomware leak-site activity, with year-over-year growth ranging from 32% to 50%. But their full-year victim totals for the same 12-month period diverge from 7,079 to 8,159, a spread of over 1,080 victims (about 14% of the low-end figure). The gap traces to how each firm handles duplicate claims, retracted postings, and non-ransomware extortion listings on the same public leak sites -- not disagreement about the underlying trend.

Findings

  • Comparitech recorded 7,419 ransomware attacks claimed against organizations in 2025, up 32% from 5,631 in 2024; only 1,173 of those were confirmed by the targeted organizations themselves.
  • NCC Group's Annual Threat Monitor counted 7,874 ransomware incidents worldwide in 2025 (+50% YoY), with Qilin the single most active group at 1,022 claimed attacks.
  • BlackFog tracked 7,079 victims announced on ransomware leak sites in 2025, a 37% year-over-year increase, while Breachsense counted 7,307 companies claimed by ransomware groups (+45% YoY) and Picus Security counted 8,159 -- the highest of the five.
  • The five trackers span a 1,080-victim range (7,079-8,159) for the same calendar year and the same broad methodology -- publicly claimed leak-site victims -- illustrating how duplicate claims, retracted postings, and differing crawl cadences shift the headline number even when everyone agrees the trend is a record-breaking escalation.

Delta Engine result

↔ Divergence Detected — Δ 0.1111 (threshold 0.05)

Evidence quality

avg 25 · min 25 · max 25 · spread 0