Ransomware attacks nearly doubled in the first half of 2025, revealing an alarming surge in cybercriminal activity and exposing widespread corporate security vulnerabilities.
According to data from NordStellar, ransomware cases surged in the first half of 2025, with a 49 percent increase compared to the same period in 2024. U.S. companies suffered the most, with small and medium-sized enterprises and those in manufacturing becoming prime targets.
NordStellar has identified over 200 ransomware groups and currently, over 60 of them are active. In addition to the usual updates about successful attacks, they sometimes also publish recruitment announcements, and their high-level requirements should ring alarm bells.
These groups are mostly looking for top talent in cybersecurity — their requirements tend to consist of wanting an individual with an experienced background in specific fields and a proven track record. According to them, cybercriminals must undergo meticulous screening before they can join the group, minimizing the risk of their being compromised. Some ransomware groups don't accept outsiders in general, and members can only be invited by already established individuals.
Scaling Operations and Maximizing Profits
Individuals unfamiliar with the inner workings of ransomware groups are often under the false impression that these hackers are just lone wolves or kids with some hacking skills following a get-rich-quick scheme. However, the opposite is true — the efficiency of ransomware attacks lies in the operation's high organizational aspect.
Ransomware groups are organized crime, and it's extremely dangerous to underestimate how equipped they are to carry out their attacks. They function like a corporation, with different individuals assigned to specific tasks so that the operation runs smoothly. They also train their members, sharing knowledge and ensuring their expertise meets their requirements. Some even have insiders in the company they're targeting, granting them easy access to sensitive resources.
Besides new member recruitment, these groups also offer ransomware-as-a-service (RaaS). This model lowers the entry barrier to cybercrime, allowing even amateur hackers to partake. With RaaS, ransomware can scale even more exponentially, allowing more individuals to carry out ransomware attacks and maximizing the ransomware group's profits. Some ransomware groups even use RaaS themselves as a means to scale their operations without the need for additional human resources.
Primary Targets — Critical Infrastructure
Ransomware groups have a strategic and calculated approach to selecting their targets. As a result, critical infrastructure organizations often become the prime targets.
Companies in the healthcare sector cannot afford any downtime, and losing access to patient medical records can sometimes literally be a matter of life or death. As a result, they could be more inclined to give in to ransomware demands to restore their operations. Similarly, manufacturing businesses operate on tight schedules, and setbacks could result in severe financial losses. Consequently, they could also be more predisposed to do whatever it takes to resume operations quickly.
Relying on passwords as the only means for user authentication, using outdated systems and applications, and prior credential leaks on the dark web are some of the main cybersecurity gaps that make enterprises more vulnerable. Ransomware groups operate with meticulous organization and expertise, making any security gap a dangerous liability. Effective protection demands continuous monitoring of the company's attack surface and prompt identification and patching of vulnerabilities. Anything less leaves your organization unnecessarily exposed.
Promoting a cyber-aware culture also significantly reduces the risk of experiencing a successful ransomware attack. Employees who have received cybersecurity training are less likely to hand over their credentials to hackers, minimizing the possibility of them gaining access to the network due to user error.
