Check Point Research’s latest State of Ransomware report reveals a 126% year on year surge, with 2,289 publicly named victims across 74 ransomware groups – the most ever recorded in a single quarter.
Key trends identified in the report include;
-
Cl0p led Q1 activity with 392 victims, exploiting zero-day flaws in Cleo file transfer tools and abandoning encryption in favour of data theft and extortion. 83% of its victims were in North America, and 33% came from the consumer goods and services sector—reflecting strategic targeting of the supply chain.
-
RansomHub, a LockBit successor, claimed 228 victims, propelled by aggressive affiliate recruitment and generous profit-sharing, allowing them to inherit LockBit’s abandoned criminal marketshare.
-
Babuk-Bjorka and FunkSec routinely post recycled or fake victim claims (167 victims for Babuk – Bjorka and over 170 victims for FunkSec), muddying the data and inflating their reputations, whilst also attracting affiliates and pressurising victims. FunkSec is also suspected of using AI-developed malware, lowering barriers to entry for attackers and blurring the lines between financial crime and hacktivism, complicating attribution and response.
-
The US remains ransomware’s top target, with nearly 50% of victims, due to a higher likelihood of ransomware payments.
-
In the UK, Medusa ransomware accounted for 9% of local victims, a fivefold increase over its global share.
-
In Germany, Safepay dominated with 17.5% of reported incidents—suggesting deliberate, regional targeting.
Looking at this geographical concentration, Check Point suggests ransomware groups aren’t casting wide nets. Instead, they’re making surgical, strategic decisions based on local infrastructure, legal systems, and payment potential.
While victim disclosures are skyrocketing, actual ransomware payments dropped by 35% according to Chainalysis. This widening gap suggests two worrying trends of either victims are increasingly refusing to pay, or some victims may not be real at all.
Ransomware’s evolution into extortion without encryption, combined with groups faking attacks using old or public data, means reputation damage, not decryption, is now the main leverage. Traditional metrics based on leak site disclosures no longer paint an accurate picture. This also makes it that much harder for defenders, regulators, and even law enforcement to monitor threat actors accurately or understand the real scale of risk.
“The 126% spike in ransomware is more than just a number, its a signal,” says Check Point Threat Intelligence Group Manager Sergey Shykevich. “This denotes smarter, faster, and harder-to-track campaigns and groups that try to manipulate our mind. AI tools, fake victim claims, and regionally tailored tactics mean organisations must move beyond reactive defences and adopt prevention-first, intelligence-led security.”
