7,655 Ransomware Claims in One Year: Group, Sector, and Country Breakdown

> 141 countries appeared in the dataset. US organisations are the most frequent targets at 40%, but the remaining 60% spans six continents. European subsidiaries, APAC operations, and Latin American offices are all represented

Love how this subtly implies that only the US has independent companies, every other region just has subsidiaries and branch offices of US companies

And as an industry, we claim we are completely helpless against ransomware. We create all kinds of organizations and alliances such as FIDO and ICANN. Against ransomware, complete silence.

> Of 129 active groups, the top five posted 3,027 of the 7,655 claims (40%). After them, the field fragments quickly.

Does it?

The 4th group accounted for 5.0%, 5th was 4.5%, 6th was 3.4% and 10th was 2.5%, I think it doesn't fragment particularly any more quickly after the top 5 than within the top 5.

Is this LLM analysis?

this is a great representation of how clueless the security industry is.

the made up dimensions on this analysis are great for tech illiterate middle managers. while anyone with a brain known that script kiddies just execute a vuln scanner and only care to filter .mil and .ru targets. what country or industry? please. they barely will look at the country to give a discount on the ransom if it's too poor.

you can make the case that certain industries buy more irresponsible tech ptoducts as a whole, but it's mostly irrelevant to read into the attackers.

the whole tech industry security is made up exclusively of blame shifting.

The 40% acceleration in the second half is the number that jumps out. That is not just "more groups", something changed operationally in the ecosystem around September 2025.

SafePay dominating Germany with 72 claims is worth watching. Most ransomware analysis focuses on US-heavy groups, but a group concentrating on a single non-US market suggests either language capability, specific supply chain access, or targeting of regulatory environments where disclosure pressure increases payment rates. Germany's strict GDPR enforcement could make the threat of a leak more effective than in markets where fines are lower.

The 35% of claims with no sector attribution is a significant gap. If those ~2700 unattributed claims skew toward smaller organizations without public sector classification, the actual concentration in SMB targets could be much higher than the data shows.

The point about ecosystem resilience is the most important takeaway for defenders. 129 active groups means the threat model is not "prevent group X" but "assume breach and limit blast radius." That shifts investment from detection toward segmentation, backup isolation, and recovery speed.