Like it or not, ransomware has been a durable and formidable thorn in the side of business, government and defenders.  

And this year has proved no different, with the uptick in ransomware continuing in the third quarter of 2025. This year to date, ransomware cases have zoomed up 47% over the same period last year, according to data compiled by NordStellar. That amounted to a whopping 6,330 incidents. 

Just between July and September, the number of ransomware cases topped 1,943, representing a 31% increase over Q3 last year.  

U.S. companies were most frequently in the crosshairs, accounting for 57% of all cases. The manufacturing sector found itself to be targeted as well, making up 19.7% of the cases. 

Small and medium-sized businesses may want to sharpen their defenses because they continue to be primary targets for ransomware attacks. 

We all know that keeping up with ransomware gangs and their affiliates still looks a lot like a proverbial game of whack-a-mole but NordStellar found that Qilin and Akira, two established ransomware groups, were behind the bulk of attacks. That’s mirrored in research from Ontinue that found the 4,000 claimed ransomware breaches in H1 2025 were spearheaded by CL0P, AKIRA and QILIN. 

“The continued rise in incidents shows that ransomware is still effective and highly profitable, incentivizing cybercriminals to ramp up activity,” the trends showing, in short, ransomware threats are here to stay,” according to a NordStellar blog post. 

But NordStellar warns that “attackers won’t necessarily hand the decryption key to restore access even after the ransom is paid.” Often, the blog post said, “the systems or files will stay locked for the second ransom, leaving companies to suffer dire consequences—financial, reputational, and legal.” 

Brandon Williams, CTO at Conversant Group, says Conversant’s research “shows that 93% of cyber events involve targeting of backup repositories, and 80% of data thought to be immutable does not survive.” 

But he explains that “being able to recover, but having no place to recover, will result in longer outages and larger business interruption costs.” 

That will make it necessary to make “strategic breach recovery plans that integrate real-time threat detection, adaptive defenses and incident response protocols,” Williams says. “The most effective component of breach recovery plans is immutable backups, which are essential for fast recovery from breaches.” 

Their tamper-proof design, he says, “guarantees the integrity of stored data and reduces recovery time while allowing for rapid restoration without the risk of reintroducing infected or corrupted files.” 
James Maude, field CTO at BeyondTrust, says that to deal effectively with ransomware and other threats, it’s crucial to “invest in shifting left and think more about securing identities and access to reduce our attack surface and blast radius in the event of compromise, rather than just thinking post breach.”  

Ransomware and other threats, he says, “are only as effective as the privileges and access they manage to acquire so if we can implement better hygiene and focus on least privilege, then the threat actors are far less likely to ransomware us in the first place.”