Ransomware is growing, and cyber defence now depends on what people know
For years, businesses have treated data breaches as the headline cyber risk. A stolen database, a leaked password list or an exposed customer record could trigger reputational damage, regulatory scrutiny and financial loss.
But the cyber threat landscape is shifting. A new report from security firm Bitsight suggests ransomware is becoming an even more visible and aggressive force, while traditional data breach reporting appears to be falling.
That does not mean organisations are safer. It means attackers are changing tactics.
According to Bitsight’s annual State of the Underground report, ransomware attacks claimed by hackers on dark web leak sites rose by nearly one fifth in 2025, reaching 6,883 reported incidents. The number of leak sites also increased sharply, rising by roughly one third to 115.
These figures point to a more crowded and professional ransomware ecosystem. Leak sites are a core part of modern extortion. Attackers do not simply encrypt files and demand payment. They also steal sensitive data, threaten to publish it and use public pressure to force victims into paying.
That model has made ransomware more than a technical incident. It is now a business crisis, a legal problem, a communications challenge and, in some cases, a public safety risk.
The concentration of activity is also striking. Bitsight found that just ten ransomware groups were responsible for about 58% of attacks. Five of those groups were associated with Russia. This suggests that while the ransomware landscape may appear fragmented, much of the harm is being driven by a relatively small number of highly active operators.
For defenders, that matters. It shows how organised the threat has become. These are not isolated hackers operating without structure. Many ransomware groups work like criminal enterprises, with technical teams, negotiation specialists, malware developers, affiliates and public leak operations.
The United States remained the biggest target, accounting for roughly 60% of ransomware victims. Manufacturing topped the list of affected sectors, reinforcing a pattern seen across recent years. Manufacturers are attractive targets because downtime can be extremely expensive. When production lines stop, supply chains stall, orders are delayed and pressure to restore systems quickly becomes intense.
That pressure is exactly what ransomware groups exploit.
The report also found that traditional data breaches fell by 41% in 2025 compared with the previous year. On the surface, that may sound like progress. But Bitsight warned that the decline should not be interpreted as a simple reduction in risk.
There are several reasons for caution. Reporting gaps can distort the picture. Organisations may delay disclosure, classify incidents differently or fail to detect breaches at all. Threat actors may also be shifting toward higher impact targets where one compromise can affect many organisations at once.
This is the domino effect problem.
Rather than attacking every company individually, cybercriminals increasingly look for systems, suppliers and services that sit at the centre of many others. A successful attack on a critical vendor, infrastructure provider, government service, utility or defence related organisation can create disruption far beyond the original victim.
That is why ransomware is so dangerous in the modern digital economy. Organisations are connected through software, cloud services, logistics networks, payment systems, managed service providers and shared data platforms. One weak point can become the entry path to many more.
Bitsight also identified a surge in internet facing artificial intelligence services. This is an important warning sign. As more organisations rush to adopt AI tools, many are exposing new systems, APIs and services to the open internet. Every exposed service becomes a potential target if it is poorly configured, unpatched or connected to sensitive data.
AI may help businesses improve productivity, automate workflows and analyse information more quickly. But it also expands the attack surface. New tools often arrive faster than governance, training and security controls. Employees may not understand what data can safely be entered into AI systems. Developers may connect services without adequate testing. Leaders may approve AI deployments without fully assessing cyber risk.
This creates a familiar pattern. Technology moves quickly, but security habits lag behind.
Education was the sector with the highest number of traditional data breaches in 2025, with 505 recorded incidents. That is another reminder that cyber risk is not limited to large corporations or high value financial targets. Schools, universities and training providers hold sensitive personal information, often operate complex networks and may lack the resources of larger commercial organisations.
The broader lesson is clear. Cyber attackers go where the opportunity is. They target valuable data, weak systems, time sensitive operations and human error. They look for organisations that are connected, distracted, under prepared or slow to respond.
Ransomware growth should force every organisation to ask difficult questions. Are backups isolated and tested? Are employees trained to recognise phishing and social engineering? Are software updates applied quickly? Are third party risks reviewed properly? Are AI tools being deployed safely? Does the business know what it would do in the first hour of an attack?
Too often, companies focus on security only after an incident. By then, the damage may already be spreading. Ransomware response is stressful, expensive and public. Prevention is almost always cheaper than recovery.
The strongest cyber defences combine technology, policy and people. Firewalls, endpoint protection and monitoring tools are important, but they cannot protect an organisation if staff are unaware of basic threats, if managers do not understand risk or if employees are not confident enough to report suspicious activity early.
That is where knowledge becomes a frontline defence.
Ransomware operators rely on mistakes. A clicked link. A reused password. An ignored software update. A rushed approval. A poorly understood system. Training helps reduce those openings by giving people the awareness and confidence to act before a threat becomes a crisis.
The rise in ransomware is not just a warning for IT teams. It is a warning for everyone who uses digital systems at work. In today’s environment, cyber security is no longer a specialist concern hidden in the server room. It is a core business skill.
If your organisation wants to reduce risk, strengthen resilience and prepare people for the threats already targeting businesses worldwide, now is the time to act.
Build the knowledge your team needs before attackers test your defences. Take The Hack Academy’s online training programme and give your people practical cyber security awareness that can help them recognise threats, avoid costly mistakes and respond with confidence. In a year when ransomware is rising and attackers are becoming more strategic, better training is not optional. It is one of the smartest investments your organisation can make.