State of Ransomware: December 2025

Published 1 January 2026 · ThreatVectr Intelligence

802+15%
Claimed attacks
vs 700 the month before
57
Groups active
73
Countries affected
54
Busiest day
24 December

Ransomware groups claimed 802 attacks on organisations worldwide in December 2025, up 15% on the previous month's 700. 57 distinct groups posted at least one victim during the month, across 73 countries. The busiest single day was 24 December, with 54 victims listed.

Qilin was the most active operation of the month, claiming 175 victims — 22% of all listings. LockBit (69) and SafePay (59) followed. 4 groups appeared for the first time, including Minteye, Ms13089, Osiris, LockBit.

Manufacturing bore the heaviest targeting, with 121 claimed victims, ahead of Business Services (102) and Technology (92). By geography, United States accounted for 341 claims — 43% of the month — with Germany (38) and Canada (33) next.

Claims per day — December 2025

Most active groups

  1. 1Qilin·175
  2. 2LockBit3269
  3. 3SafePay559
  4. 4Akira157
  5. 5Sinobi454
  6. 6Devman746
  7. 7DragonForce135
  8. 8INC Ransom433
  9. 9Coinbasecartel622
  10. 10Play520

First seen this month:Minteye, Ms13089, Osiris, LockBit

Most-targeted sectors

  1. 1Manufacturing121
  2. 2Business Services102
  3. 3Technology92
  4. 4Healthcare65
  5. 5Construction62
  6. 6Consumer Services47
  7. 7Financial Services43
  8. 8Agriculture and Food Production35
  9. 9Public Sector33
  10. 10Education27

Most-affected countries

  1. 1United States341
  2. 2Germany38
  3. 3Canada33
  4. 4France28
  5. 5United Kingdom22
  6. 6Italy21
  7. 7Brazil19
  8. 8Spain19
  9. 9India17
  10. 10Türkiye12

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: December 2025”, https://threatvectr.com/ransomware-tracker/reports/december-2025

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr