Ransomware Didn’t Slow Down in Q4. Here’s What That Means for 2026.

A Record Quarter, Not an Outlier

Your team is ready. They understand ransomware, the risks, and the stakes. But what does still catch teams off guard is how consistently the activity keeps climbing, even when experts expect it to slow down.

In Q4 2025, ZeroFox Intelligence observed at least 2,091 ransomware and digital extortion incidents worldwide, making it the most active ransomware quarter on record. On its own, that number is striking. But what matters more is how we got there.

Throughout 2025, ransomware activity increased every single quarter. What started as a noticeable uptick in mid-2024 became a steady climb that never meaningfully reversed. The result is a threat environment where ransomware is no longer spiking in bursts. It is operating at a sustained, elevated pace across regions and industries.

Historically, the final quarter of the year tends to be busy, followed by a quieter start to the next. Q4 2025 challenges that expectation. The data shows ransomware collectives are no longer pacing themselves around traditional cycles. They are simply staying active. Read on to learn how this change could impact your team’s strategy for 2026.

By the Numbers: How Q4 2025 Reset the Baseline

The scale of ransomware and digital extortion activity in Q4 2025 represents a reset in what organizations should consider “normal.”

Compared to Q3 2025, ransomware and digital extortion incidents increased by approximately 46 percent. The quarter also surpassed the previous high set earlier in the year, edging past the record-breaking totals observed in Q1 2025. When viewed year over year, Q4 2025 outpaced the same period in both 2024 and 2023 by a wide margin.

What stands out most is how the quarter unfolded. Activity did not peak early and taper off. It built momentum.

October and November both continued the upward trend seen throughout the year. December then accelerated sharply, accounting for roughly 38 percent of all ransomware and digital extortion incidents in Q4. Instead of winding down at year-end, ransomware operations intensified.

This pattern matters. It signals that many ransomware collectives are comfortable sustaining high operational tempo even during periods that historically saw reduced activity. For organizations planning defenses around assumed slowdowns, Q4 2025 offers a clear reminder: ransomware timelines no longer follow the calendar.

Where Attacks Landed: Regional Targeting in Q4 2025

If Q4 2025 confirmed anything about ransomware geography, it’s that the center of gravity hasn’t shifted.

North America remained the most targeted region by a wide margin, accounting for approximately 59 percent of all ransomware and digital extortion incidents observed during the quarter. That figure is nearly identical to what ZeroFox observed in Q3 2025 and closely aligns with the regional averages seen throughout 2024.

Europe followed as the second most targeted region and while there was a slight decrease from the previous quarter, the broader pattern remains consistent. Together, North America and Europe accounted for the vast majority of ransomware activity observed during the quarter.

This concentration is not random. Ransomware collectives tend to operate opportunistically, adjusting their targeting based on where access is readily available. That access is often bought and sold across deep and dark web forums, shaping where attacks ultimately land. North America, in particular, continues to present an attractive mix of high-value targets, expansive digital attack surfaces, and infrastructure that supports large-scale monetization.

ZeroFox Intelligence also observed that ideological and geopolitical narratives likely continue to influence targeting decisions, especially when combined with the financial incentives associated with Western-based organizations. When access is available and payouts are perceived as lucrative, ransomware operators move quickly.

Industry Trends That Continue to Matter

While regional targeting remained stable, industry-level impacts in Q4 2025 highlighted where ransomware pressure is most acute and where it continues to grow.

Manufacturing once again emerged as the most targeted industry, accounting for nearly 20 percent of all ransomware and digital extortion incidents during the quarter. ZeroFox observed at least 413 incidents targeting manufacturing organizations in Q4 alone, representing a significant increase from the previous quarter. This trend has now held consistently for several years.

The reasons are familiar but still critical. Manufacturing environments often have low tolerance for downtime, complex operational technology infrastructure, and growing levels of digital connectivity. These factors combine to make disruptions both highly visible and financially impactful. As mentioned above, a target that is perceived as lucrative is going to be of interest to threat actors. 

Professional services also stood out in Q4, continuing a sharp upward trajectory seen throughout 2025. Over the course of the year, ZeroFox observed at least 805 ransomware incidents targeting professional services organizations, a 74 percent increase year over year. Since 2023, ransomware activity against this sector has nearly doubled each year.

Construction, healthcare, and retail rounded out the top five most targeted industries in Q4. But notably, construction experienced one of the largest quarter-over-quarter increases, reinforcing how rapidly ransomware operators adapt their focus as industries digitize and expand their external attack surfaces.

Taken together, these industry trends underscore a key reality. Ransomware operators are not chasing novelty. They are targeting sectors where disruption creates urgency, where digital exposure is growing, and where operational pressure increases the likelihood of payment.

Inside the 2025 Ransomware Ecosystem

While we’ve covered the targets—regions and industries—one of the clearest signals going into 2026 was the collectives driving the ransomware ecosystem.

The five most active R&DE collectives in Q4 were Qilin, Akira, Sinobi, Cl0p, and LockBit. Compared to the previous quarter, that lineup shifted noticeably. Only Qilin and Akira carried over from Q3, while the remaining positions were filled by a mix of resurgent and newly aggressive groups.

This kind of turnover matters. It reinforces how fluid the ransomware ecosystem has become. Affiliates shift between collectives, tooling evolves quickly, and groups that appear dormant can return at scale with little warning. What stays consistent is the concentration of activity. A relatively small number of collectives continue to account for a disproportionate share of global ransomware incidents.

Behavioral Signals from the Most Active Collectives

Rather than telling the story of each group in isolation, the Q4 2025 Ransomware Wrap-Up offers insight into how ransomware collectives are operating, regrouping, and scaling.

LockBit’s return is a clear example. After minimal activity earlier in 2025, LockBit re-emerged in Q4 with at least 110 observed attacks. Notably, the group was inactive for most of the quarter and then surged in December, with more than half of its activity occurring in the final week. This resurgence closely followed the group’s launch of LockBit 5.0, signaling a renewed operational push rather than sporadic activity.

Sinobi’s growth trajectory tells a different story. Emerging only in Q3 2025, Sinobi nearly tripled its activity in Q4, reaching at least 139 observed attacks. While still accounting for a smaller share of total incidents, the pace of increase is significant. Sinobi’s targeting closely mirrored broader ransomware trends, with a heavy focus on North America and strong alignment with professional services, manufacturing, and construction sectors.

Cl0p’s reappearance added another layer of volatility. After record-setting activity earlier in 2025 and relative quiet in the middle of the year, Cl0p returned in Q4 with over 100 observed attacks. Its targeting patterns remained consistent with past behavior, particularly within manufacturing and professional services, reinforcing how established collectives can re-enter the landscape without fundamentally changing their playbook.

Across these groups, one theme stands out. Ransomware operations in Q4 2025 were not fragmented or experimental. They were deliberate, scalable, and increasingly comfortable operating at sustained volume.

Intelligence-Led Recommendations: Turning Ransomware Insight into Readiness

Q4 2025 reinforces a critical lesson. Ransomware is no longer an episodic risk driven by short-lived spikes or seasonal cycles. It is a persistent, adaptive threat that responds quickly to access availability, operational pressure, and opportunity.

Based on the intelligence observed throughout the quarter, organizations should prioritize readiness in a few key ways.

First, plan for persistence. Elevated ransomware activity is now the baseline. Defensive strategies built around assumed slowdowns leave gaps that ransomware operators are increasingly willing to exploit.

Second, prioritize visibility where access is traded. Ransomware targeting remains closely tied to the availability of network access sold across deep and dark web forums. Understanding when and where access to your organization or industry is being advertised provides critical early context before attacks occur.

Third, focus on industry-specific exposure, not generic risk models. Manufacturing, professional services, construction, healthcare, and retail each face distinct pressures that ransomware operators understand well. Defensive prioritization should reflect how attackers monetize disruption in your specific operating environment.

Finally, track behavior, not just names. The rapid shifts among the most active ransomware collectives in Q4 highlight why actor labels alone are insufficient. Changes in tooling, operational tempo, and targeting patterns often matter more than the banner a group operates under.

From Headlines to Operational Readiness

Q4 2025 did not introduce a new ransomware problem. It clarified the one organizations are already facing.

Ransomware activity remains elevated, adaptive, and opportunistic. The patterns observed across regions, industries, and collectives point to a threat landscape defined by persistence rather than peaks. Intelligence plays a critical role in navigating this environment, but only when it is used to inform preparation, prioritization, and response.

Understanding how ransomware operates today is the first step toward being ready for what comes next. Download the Q4 2025 Ransomware Wrap-Up for a deeper look at the trends shaping ransomware activity heading into 2026 and what we’re watching next.