According to a recent report by Check Point Software, the number of publicly disclosed ransomware incidents increased approximately 60% year over year as of December. In fact, there were nearly 1,000 reported incidents in December alone. This marks a clear increase in the consistency and scale of ransomware growth.
A potential contributor to this increase is the fact that ransomware is becoming more and more of an industrialized business model. Ransomware as a service (RaaS) ecosystems allows actors to onboard quickly, use tooling that's already been proven, and proceed at high tempos.
The report also points out that ransomware incidents tend to concentrate in economically dense areas. North America, for example, accounted for over half of all reported incidents, with Europe following as the second most targeted region. These areas are attractive to attackers because they provide a combination of higher ransom potential, higher disruption potential, and greater public exposure. Latin America specifically had a surge in ransomware incidents with a sharp increase of 26% in the number of attacks.
(Source: Check Point)
Another proposed contributor to the rise in ransomware incidents is the rapid and often unmanaged adoption of generative AI tools in enterprise environments. Some organizations use more than ten different AI platforms simultaneously and frequently this is coupled with inadequate management and data loss controls. This means that a sizeable number of AI prompts contain sensitive information, opening up the possibility of data leakage. It’s even been estimated that about 1 in 27 AI prompts have a high risk of exposing information.
At this point, it seems clear that ransomware is becoming more of a steady constant in the threat landscape and less of a seasonal or episodic problem.
As far as randomware groups are concerned, Qilin emerged as one of the most active groups in the last year, being responsible for approximately 18% of reported incidents. LockBit affiliates and Akira were also quite active over the course of the year, accounting for approximately 12% and 7% of reported incidents respectively.
(Source: Security Week)
As one might expect, attacks were targeting Windows, Linux, and ESXi environments, especially when any sort of virtualization or centralized management is in play, creating opportunities for wider impact. What’s more, lately it seems that simply encrypting data is not seen as sufficient leverage anymore for ransom and double-extortion tactics have become more widely used.
In terms of targets, the education sector experienced the highest volume of attacks, followed by government entities and nonprofits. This makes sense because these sectors are made up of large numbers of users with potentially more limited resources, particularly when security or infrastructure is concerned. We see this with the recent attack against the JBS Mental Health Authority, where the Medusa ransomware group claimed to have stolen over 160 GB of client and operational data, or with the recent attack against the city of St. Paul, Minnesota, which prompted National Guard activation and the effective shutdown of a city’s resources to reach containment.
One of the first insights one might take from all of this is that ransomware attacks are not only increasing in volume, but also in organizational impact. With this in mind, it could be wise moving forward with more focus on implementing preventative measures more than reactive measures.
The sophistication of attacks is also increasing, which we see with things like the recently discovered malware framework calling VoidLink, which is said to have been developed by a single person with AI assistance. These developments heighten the importance of layered security controls, like identity and access management, network segmentation, behavior-based detection, etc.
(Source: Quandary Peak Research)
These insights also lead one to believe that the role of AI in potential risk exposure is quite significant. While these AI tools do offer productivity benefits, they might also be creating blind spots in enterprise environments, especially if they aren’t adhering to adequate data governance, logging, or security control standards.
Appropriately enough, the human element is also critical to keep in mind. Social engineering, credential theft, and the misuse of trusted brands are often used for initial access and exploitation in ransomware attacks.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[2]: https://cybermagazine.com/news/checkpoint-ransomeware-up-60-as-gen-ai-data-risk-soars
[3]: https://thehackernews.com/2026/01/voidlink-linux-malware-framework-built.html
[4]: https://quandarypeak.com/2026/01/the-new-shockwave-ai-generated-cyber-attacks/
[5]: https://www.securityweek.com/covenant-health-data-breach-impacts-478000-individuals/
Comments