Exploring the 2025 IT Sector Ransomware Landscape

At the IT-ISAC, our mission is to track shifts in the digital battlefield to help our members stay ahead of emerging threats. Through proprietary tools, internal intelligence, and active sharing among members and partners, we have recorded over 15,000 ransomware incidents over the past 5 years. 

Our latest year-end analysis of ransomware incidents reveals an aggressive, AI-driven, and adapting criminal ecosystem. In 2024, the IT sector saw 300 recorded incidents. In 2025, that number jumped to 746 incidents – a staggering 148% increase. Ransomware operators have moved from "spray and pray" tactics to targeted, high-impact strikes on the technology sector. Attackers have adopted a one-to-many exploitation approach. By compromising a single IT service provider or software platform, they can gain backdoor access into hundreds of downstream customers.

The Costs for Critical Infrastructure

While the IT sector faced a heavy barrage, it wasn't the only target. Our 2025 data shows that ransomware continues to plague the backbone of our economy in these critical infrastructure sectors:

• Critical Manufacturing: 1,440 attacks (22.7%)

• Commercial Facilities: 1,107 attacks (17.5%)

• Information Technology: 746 attacks (11.8%)

• Healthcare: 580 attacks (9.2%)

• Financial Services: 463 attacks (7.3%)

  
  

Geographically, the U.S. remains the primary target, accounting for 48% of all IT sector incidents. As the world’s largest economy and a global tech hub, the U.S. offers the high-value prizes ransomware operators crave.

A Shifting Roster of Ransomware Groups

The ransomware market saw a dramatic consolidation in 2025. While 2024’s leader, RansomHub, vanished from the charts, a new leader emerged: Qilin.

Qilin (also known as Agenda) now commands a 12.5% market share – more than double its nearest competitor. The group’s success is driven by a pivot to Rust-based encryption, allowing them to hit Windows, Linux, and ESXi environments with efficiency.

The top five ransomware groups observed in 2025 were:

1. Qilin: The RaaS giant (93 IT attacks and 912 overall).

2. CL0P: The "Big Game Hunter," focusing on Zero-Day vulnerabilities.

3. Akira: The specialist in targeting SMBs and MSPs.

4. Play: A secretive, closed cell that evades law enforcement by avoiding the public RaaS model.

5. INC Ransom: An established threat group known for targeting life-safety sectors and IT service providers.

   
   

Ransomware Trends of 2025

In 2025, defensive capabilities improved, but attackers evolved alongside them. We observed three major trends:

• Weaponizing Zero-Days: Attackers are now weaponizing critical vulnerabilities within hours of disclosure.

• Living-off-the-Land (LoTL): Groups are increasingly using legitimate administrative tools to blend in with normal network traffic, making detection nearly impossible for traditional antivirus.

• Vishing and Multi-Factor Authentication (MFA) Bypass: Social engineering has become more sophisticated, using vishing (voice phishing) to steal OAuth tokens and bypass MFA.

  
  

What’s in Store for 2026?

The lessons of 2025 provide a roadmap for what to expect in the coming year. Based on our analysis, we anticipate:

1. SaaS Ecosystem Targeting: The breach of a single SaaS provider can be used to compromise entire supply chains.

2. Encryptionless Extortion: Expect more smash-and-grab jobs where data is stolen but not encrypted. This lowers risk and costs for attackers while still providing high leverage for extortion.

3. Cloud Infrastructure Attacks: Threat actors will stop deploying malware and start abusing IAM permissions and leveraging legitimate APIs to encrypt or destroy data while blending in with normal activity.

4. Legitimate Tool Abuse: Attackers will increasingly repurpose victims’ own IT and security tools. By hijacking trusted administrative platforms, they blend into them, bypassing traditional detection to maintain stealthy persistence.

5. Zero-Day Exploitation: Expect rapid-fire weaponization of enterprise vulnerabilities. Once a flaw is public, attackers automate exploitation at scale, using unauthenticated access to bypass the perimeter before organizations even have the chance to patch.

   
   

The shift from encryption-based attacks to stealthier data theft means traditional security measures are no longer enough. Organizations should consider prioritizing:

• Detection and Response to identify LoTL behavior before data exfiltration begins.

• Zero-Trust Identity to protect against MFA bypass and token theft.

• Collaborative Intelligence to Utilize information-sharing resources to understand the TTPs of groups like Qilin and CL0P.

  
  

Scaling your threat intelligence by collaborating with peers can increase your security and resilience in an increasingly volatile landscape.

Want to dive deeper into the data? Take a look at our full public ransomware report, Exploring the Depths: Analysis of the 2025 Ransomware Landscape and Insights for 2026, available here.