ZeroFox Intelligence Assessment - Q4 2025 Ransomware Wrap-up

January 15, 2026|by Alpha Team

DDW

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

View the full report here.

ZeroFox observed at least 2,091 separate ransomware and digital extortion (R&DE) incidents in Q4 2025, an increase of approximately 46 percent from Q3 and nearly 7 percent more than the record-breaking 1,961 incidents observed in Q1 2025.
Throughout 2025, ZeroFox observed a higher number of attacks each quarter compared to previous years, reflecting a longer-term upward trajectory of R&DE incidents observed across regions and industries.
Regional R&DE targeting patterns in Q4 2025 were largely consistent with those observed during previous months. North America-based organizations were the most targeted by a substantial margin, accounting for approximately 59 percent of all incidents.
ZeroFox observed that the five most active R&DE collectives in Q4 2025 were almost certainly Qilin, Akira, Sinobi, Cl0p, and LockBit. This is a change from Q3 2025—with only Qilin and Akira remaining in the top five from the previous quarter.

Tags: tlp:clear, threat actor, malware