Insights from the GRIT Q3 2025 Ransomware & Cyber Threat Report

October 9, 2025

October is Cybersecurity Awareness Month (CAM). GuidePoint Security is proud to join the national effort, championed by the US National Cybersecurity Alliance (NCA) in collaboration with the Cybersecurity & Infrastructure Security Agency (CISA), to amplify essential cybersecurity practices under the 2025 themes: Stay Safe Online and Building a Cyber Strong America.

Ransomware continues to escalate, driving a more fragmented and aggressive threat landscape. The GRIT Q2 2025 Ransomware & Cyber Threat Report reveals the latest shifts that security teams need to watch to stay ahead.

Cybersecurity Awareness Month is a time to refocus on how we defend against evolving threats. Part of that is understanding how the threat landscape is changing.

The GuidePoint Research and Intelligence Team (GRIT) just released its Q3 2025 Ransomware and Cyber Threat Insights Report, and the findings reveal insights that every cybersecurity practitioner should pay attention to. 

GRIT observed another record-high number of ransomware groups in Q3 2025. Distinct ransomware and extortion groups climbed 57% year-over-year, with 77 active groups identified in Q3 alone. At the same time, the team observed that the number of attack victims appears to be stabilizing.

What is the “New Baseline” in Ransomware?

After years of relentless growth, ransomware activity appears to be normalizing. GRIT has observed an average of  1500-1600 victims per quarter since late 2024. GRIT notes, “While some may dismiss this as yet another quarter of ransomware, we see it as a new baseline of operational activity.”

In short, there is a plateauing victim count despite continued growth in named groups. It could be attributed to operators spread across a greater number of groups, lower-skill or ephemeral-in-nature groups, or overlapping ransomware groups.

Key Takeaways from the Q3 2025 Ransomware and Cyber Threat Insights Report

• 77 active ransomware groups in Q3 2025 (an all-time high)
• 1500-1600 emerging as a “new normal” baseline for publicly posted ransomware victims in a quarter
• Engineering and Education joined the “Top 10 most impacted” industries, giving Transportation, and Entertainment, Hospitality and Tourism, a brief respite
• 252 publicly claimed ransomware attacks targeting manufacturing in Q3 2025, a 26% increase over the prior quarter
• Qilin accounted for 15% of the total Q3 attack count, with 234 victims
• Akira claimed 150 ransomware victims in Q3, a 13% QoQ increase over Q2 (133) and 212% YoY increase (48)
• US increased its ransomware target count from the previous quarter to 56% (from 52.1%), solidifying its place as a top target
• The Republic of Korea was the focus of a Q3 Qilin campaign targeting multiple Korean financial and accounting entities
• Some states (e.g., Ohio, Florida) have passed payment bans and standards around ransom payments. A ban may reduce the likelihood of public funds being used to pay ransoms, but it does not reduce attacker incentives or fix underlying security weaknesses.

Awareness Is Only the First Step

GRIT’s research serves to remind us that awareness must lead to action. The ransomware landscape continues to evolve, blending established players with opportunistic newcomers. Understanding who is behind the attacks, and how they adapt, is key to strengthening defenses.

Download the full Q3 2025 Ransomware and Cyber Threat Insights Report to learn more.

This October, take a moment to reflect: Are you and your employees practicing the Core 4 every day? Small steps, done consistently, can stop big threats. Cybersecurity is everyone’s job, and together, we can all do our part to stay safe online.