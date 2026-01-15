New Annual Report from the GuidePoint Research and Intelligence Team (GRIT) Reveals a 58% YoY Increase in Ransomware Victims as Record Activity Becomes the New Norm

GuidePoint Security, the cybersecurity advisor and services partner organizations rely on to protect what matters most, announced today the release of the GuidePoint Research and Intelligence Team's (GRIT) annual Ransomware & Cyber Threat Report.

The GRIT 2026 Ransomware & Cyber Threat Report provides exclusive in-depth research, insights and analysis on a year of record-breaking ransomware activity, examining who cybercriminals are targeting (and why), the top tactics threat actors are using and how shifting ransomware group dynamics are redefining the threat landscape.

“The GRIT 2026 Ransomware & Cyber Threat Report shows the most active year for ransomware we’ve ever recorded, revealing a 58% year-over-year increase in ransomware victims,” said Jason Baker, Lead Threat Analyst at GuidePoint Security. “While law enforcement disruptions have reshaped the Ransomware-as-a-Service (RaaS) ecosystem, group fragmentation is driving new patterns of high-volume, repeatable operations, pushing overall activity to record-breaking levels. The rise of Qilin as the most active group we’ve ever tracked — surpassing even LockBit at its peak — underscores how the ecosystem is evolving. For organizations, well-resourced defenders, proactive vulnerability management and real-time threat intelligence will be critical for mitigating risk in the year ahead.”

Findings from this year’s report include:

Ransomware victim numbers hit a new all-time high. 2,287 ransomware victims were posted in Q4 2025 alone — the largest number recorded in a single quarter since the report’s inception.

2,287 ransomware victims were posted in Q4 2025 alone — the largest number recorded in a single quarter since the report’s inception. The number of threat groups has reached record levels. 124 distinct ransomware groups were active in 2025, the highest ever recorded and a 46% year-over-year increase.

124 distinct ransomware groups were active in 2025, the highest ever recorded and a 46% year-over-year increase. The United States remains a top geographic target for ransomware attacks . In 2025, more than half (55%) of ransomware victims were based in the U.S.

. In 2025, more than half (55%) of ransomware victims were based in the U.S. A new RaaS leader has emerged. Qilin’s activity levels in 2025 were the highest of any group ever observed.

Qilin’s activity levels in 2025 were the highest of any group ever observed. The Manufacturing industry was most heavily impacted by ransomware , accounting for 14% of attacks. The Technology (9%) and Retail/Wholesale (7%) industries followed closely behind.

, accounting for 14% of attacks. The Technology (9%) and Retail/Wholesale (7%) industries followed closely behind. High ransomware activity levels should continue in 2026. December 2025 was the most active month for claimed ransomware victims on record with 814 successful attacks — a 42% year-over-year increase.

“International law enforcement operations throughout 2025 applied sustained pressure across the ransomware ecosystem, disrupting core services that many groups rely on to operate,” Baker added. “While threat actors continue to adapt, these coordinated actions are raising the cost of doing business for ransomware operators and reinforcing the importance of collective, cross-border efforts in shaping a more resilient security landscape.”

The report also explores the growing use of AI in ransomware attacks, examines the impact of zero-day vulnerabilities on ransomware and takes an in-depth look at major ransomware operators throughout the year, including an analysis of ransomware payments made to the Qilin and Akira groups.

The GRIT 2026 Ransomware & Cyber Threat Report is based on data obtained from publicly available resources, vendor threat research, internal incident response case data and open-source intelligence collected from illicit forums and marketplaces.

