Ransomware gangs claimed a deluge of victims during the final quarter of 2025, despite a decline in the number of active ransomware groups, analysis by cybersecurity researchers at ReliaQuest has revealed.
As detailed in the company’s Ransomware and Cyber Extortion in Q4 2025 report, the number victim organizations which had their data posted on ransomware leak sites in the final three months of 2025 was up by 50% compared with the previous quarter, and increased by 40% compared with the same period in the previous year.
The organizations which had data published on leak sites were victims of ransomware attacks and the perpetrators released some of the stolen data during their intrusion to put additional pressure on the target to pay a ransom.
Despite the rise in data leaks, ReliaQuest’s analysis of attacks suggested that the number of ransomware groups has declined. However, the most organized operators have increased their output.
“Regardless of which groups rise or fall quarter to quarter, the sustained increase in data-leak site posts emphasizes that ransomware remains a persistent, growing threat even as individual group names come and go,” said Gautham Ashok, cyber threat intelligence analyst at ReliaQuest.
Qilin, Akira and Sinobi Drive Late-2025 Ransomware Wave
Top-tier ransomware-as-a-service (Raas) schemes continue to focus on speed of execution by gaining access to networks as quickly as possible to avoid malicious activity being detected before they execute the ransomware.
According to the ReliaQuest Threat Research Team, the most prolific ransomware groups during the final portion of 2025 were Qilin, Akira and Sinobi.
Qilin ransomware accounts for the largest number of compromised organizations with over 450 victims, including Japanese brewer Asahi. Qilin is followed by Akira ransomware, which analysis suggests claimed over 200 victims.
The third most prolific group on data-leak sites during the period was Sinobi, which saw listings surge by over 300% compared with the previous quarter. Researchers noted that the ransomware emerged in July 2025 and is likely an offshoot of Lynx ransomware.
Lynx remains an active ransomware operation, but only accounts for a small percentage of incidents compared to Sinobi.
ReliaQuest recommends that to have the best chance of defending against and disrupting ransomware attacks, organizations should deploy defences like multi-factor authentication (MFA) to harden accounts against phishing attacks, as well as strengthen data exfiltration monitoring tools.
“Groups may disband, affiliate rosters may churn, and tools may get slicker, but attack patterns stay stubbornly familiar quarter after quarter,” said Ashok
“If security teams can reliably detect and disrupt credential-based access, living-off-the-land (LotL)-based lateral movement, privilege escalation and data exfiltration, then networks will remain resilient to whichever dominant group of the quarter,” he concluded.
