Q4 2025 Ransomware Wrap-Up

Ransomware Highlights from Q4 2025

• Ransomware activity reached a new quarterly record. ZeroFox observed at least 2,091 ransomware and digital extortion incidents in Q4 2025, representing a 46 percent increase from Q3 and surpassing the previous single-quarter record set in Q1 2025. 
• R&DE incidents increased consistently throughout 2025. Each quarter in 2025 saw higher attack volumes than previous years, reflecting a sustained upward trajectory that began in mid-2024 and continued through year-end. 
• December accounted for a disproportionate share of attacks. December 2025 alone represented roughly 38 percent of all global ransomware incidents observed in Q4, marking a sharp increase compared to October and November. 
• North America remained the most targeted region. Organizations based in North America accounted for approximately 59 percent of all ransomware and digital extortion incidents in Q4 2025, consistent with trends observed throughout the year. 
• The most active ransomware collectives shifted from Q3. Qilin, Akira, Sinobi, Cl0p, and LockBit were the five most active R&DE collectives in Q4 2025, with LockBit re-emerging after a period of limited activity earlier in the year.

Key Ransomware Trends Covered in the Report

1. Regional Targeting: North America and Europe together accounted for the majority of ransomware incidents, while Asia-Pacific saw increased activity from specific collectives. 
2. Industry Targeting: Manufacturing remained the most targeted industry, followed by professional services, construction, healthcare, and retail, which together accounted for approximately 60 percent of all incidents. 
3. Prominent Collectives: Detailed analysis of Qilin, Akira, LockBit, Sinobi, and Cl0p, including activity spikes, targeting preferences, and operational shifts observed in Q4 2025. 
4. Early 2026 Outlook: Assessment of whether historical post-Q4 declines are likely to occur, with analysis indicating ransomware activity may remain elevated into Q1 2026.