The global ransomware threat is undergoing a major transformation, with new research from Black Kite exposing a fractured ecosystem marked by a surge of smaller, unpredictable attackers targeting less-defended organizations. The findings, drawn from data collected by the Black Kite Research & Intelligence Team (BRITE) between April 2024 and March 2025, reveal an industry in upheaval after law enforcement crackdowns dismantled some of its biggest players.
Related Article: Lehigh Valley Health Network to Pay $65 Million After Hackers Leaked Nude Photos of Cancer Patients
Gone are the days when a handful of notorious syndicates such as LockBit and ALPHV/BlackCat dominated the ransomware scene. The disruption of these groups has paved the way for a proliferation of smaller groups and solo actors. Out of the 150 ransomware groups tracked by BRITE, 96 remained active in the past year, up from 61 just 12 months earlier. Remarkably, 52 of these active groups are new entrants who emerged within the last year, according to the report.
“We are entering a new era of ransomware,” said Ferhat Dikbiyik of Black Kite in a press release. “The field is now more chaotic and unpredictable, with a dramatic shift in how attacks are conducted and who they target.”
Unlike their predecessors, who often coordinated high-profile, multi-million dollar attacks on major corporations, these smaller groups are more opportunistic and less technically sophisticated, yet their sheer numbers are leading to a dramatic increase in attacks.
Small and mid-sized businesses (SMBs) have become the primary targets of this fractured ransomware ecosystem. With weaker cybersecurity defenses and limited resources, these organizations are increasingly in the firing line. Over the last year, there has been a 24% rise in reported ransomware victims (6,046 in total) — following an 81% surge the year before, resulting in a staggering 123% two-year increase.
Even as the ransom values themselves have declined by 35% in the past 12 months, the overall impact is spreading. The average ransom demand in 2024 stood at $4.24 million, while the typical payment was closer to $553,959. Experts note that businesses with revenue between $4 and $8 million are the “sweet spot” for attackers seeking a balance between security weakness and willingness to pay.
Manufacturing, Services, and Healthcare Most Targeted by Ransomware Groups
Manufacturing continues to bear the brunt of ransomware activity, with 1,315 attacks logged in the past year. Professional and technical services follow close behind, suffering 1,040 incidents, while healthcare and social assistance accounted for 434 attacks.
Related Article: Nurses at Michigan Hospitals Sound Alarm Over Patient Safety Issues Caused by Ransomware Attack
The healthcare sector is facing a particular vulnerability shift. For the first time, smaller health practices and clinics have overtaken hospitals as primary targets, representing 38% of all healthcare-related incidents. With less robust cyber defenses and significant stores of sensitive data, they provide attractive opportunities for extortion.
Ransomware is increasingly becoming a supply chain problem as much as a cybersecurity one. Attackers are focusing on third-party vendors, knowing a single breach can cascade into multiple victims. According to BRITE, ransomware was responsible for 67% of all known third-party breaches. High-profile incidents at Change Healthcare, Blue Yonder, and CDK Global highlight just how easily these attacks ripple outward, impacting countless downstream businesses.
Fragmentation and Faster Ransomware Attacks Ahead
Looking forward, Black Kite predicts continued fragmentation, with more new actors, quicker attacks, and greater use of automation and AI to enhance reconnaissance. Double targeting may also become more common, with victims being hit by different ransomware strains in rapid succession.
