Ransomware Attacks Surge 49% in 2025, Targeting US SMBs

Ransomware attacks have surged significantly in 2025, with a staggering 49% increase in incidents compared to the previous year. Data compiled by NordStellar, a threat exposure management platform, shows that the total number of ransomware cases has nearly doubled, with small and medium-sized businesses (SMBs) and organizations in the United States being the primary targets.

Between January and June 2025, there were 4,198 ransomware cases recorded on the dark web, a sharp rise from 2,809 cases documented in 2024. In the second quarter alone, from April to June, 1,758 ransomware incidents were reported, marking a 19% increase from the same period last year.

Impact on US Businesses and SMBs

The data indicates a troubling trend for the US, which accounted for 49% of the ransomware cases traced to specific victim countries, totaling 596 incidents. Following the US, Germany recorded 84 cases, while Canada, the United Kingdom, and Spain reported 74, 40, and 37 cases, respectively.

According to Vakaris Noreika, a cybersecurity expert at NordStellar, the profile of victims has remained consistent with the previous quarter, emphasizing that SMBs and manufacturing companies are the most targeted sectors. Noreika highlighted the vulnerabilities these organizations face, stating, “Bad actors continue to exploit preventable security vulnerabilities successfully.”

The manufacturing sector experienced the highest incidence of attacks, with 229 cases reported in Q2 2025. The construction industry followed with 97 cases, and information technology recorded 88 incidents. Companies with 51–200 employees and revenues between $5 million and $25 million were particularly at risk.

Factors Driving the Increase in Ransomware

Noreika suggests several factors contributing to the rise in ransomware attacks. The proliferation of ransomware-as-a-service (RaaS) platforms, the expansion of attack surfaces due to remote work models, and economic uncertainty could all play a role. The lucrative nature of these attacks makes them appealing to cybercriminals, prompting a sustained increase in activity.

The group Qilin emerged as the most active ransomware group in Q2 2025, responsible for 214 incidents. Safepay and Akira followed closely with 201 and 200 incidents, respectively. Noreika noted that Safepay, which was first detected in late 2024, saw a significant spike in activity in May 2025, with 158 incidents reported that month alone.

To combat the growing threat of ransomware, Noreika emphasizes that employees are the first line of defence. Organizations should invest in cybersecurity training focusing on phishing scams, multi-factor authentication, and password management to mitigate risks.

“Building a comprehensive cybersecurity strategy is essential to detect threats before they escalate,” he said. This strategy should include endpoint protection, monitoring for potential data leaks on the dark web, and addressing unpatched security vulnerabilities.

Businesses are encouraged to stay proactive by implementing recovery plans and consistently backing up critical data to lessen the impact of potential ransomware incidents. The alarming rise in ransomware attacks serves as a stark reminder of the need for robust cybersecurity measures, especially for vulnerable sectors like SMBs and manufacturing.