A global cybersecurity report released for 2025 documents a sharp increase in cyber threats worldwide. The analysis recorded a 50% year-over-year rise in ransomware incidents, data breaches reaching their second-highest level on record, and sustained activity in underground markets selling compromised corporate access. The findings indicate a convergence of multiple attack vectors contributing to elevated cyber risk.

The report documented 5,967 ransomware attacks, 6,046 data breaches and data leaks, and 3,013 instances of compromised initial access being offered for sale. These figures reflect increased activity across ransomware operations, data theft, and access brokerage.

The ransomware landscape showed notable structural changes during the year. New groups increased activity following disruptions to established actors. Akira emerged as one of the most active ransomware groups, with campaigns affecting sectors such as construction, manufacturing, and professional services. CL0P conducted a large-scale campaign exploiting zero-day vulnerabilities in enterprise file transfer software, primarily affecting consumer goods, logistics, and IT organizations.

Key ransomware observations include:

• 5,967 ransomware attacks globally in 2025
• Manufacturing identified as the most targeted sector
• Construction, professional services, healthcare, and IT among the most affected industries
• The United States recorded the highest number of incidents, with Australia entering the top five for the first time
• 31 incidents impacted critical infrastructure

Data breach activity remained high, with government and law enforcement agencies accounting for 998 incidents, representing 16.5% of all recorded breaches. Banking, financial services, and insurance organizations followed with 634 incidents. Together, these sectors accounted for more than a quarter of all breaches, reflecting continued targeting of sensitive public and financial data. The report also analyzed activity in underground access markets, identifying 3,013 sales of compromised access credentials. Retail organizations were the most targeted, followed by financial services and government entities, indicating sustained demand for access to data-rich environments.

Exploitation of vulnerabilities played a central role in attack activity. Frequently exploited weaknesses included remote code execution flaws in widely used enterprise software. Ninety-four zero-day vulnerabilities were identified during the year, with 25 receiving severity scores above 9.0. More than 86% of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog had severity scores of 7.0 or higher.

Geopolitically motivated cyber activity also increased. More than 40,000 data leak and dump posts from hacktivist groups were recorded, affecting over 41,400 domains across sectors. Activity was linked to geopolitical conflicts, including cyber operations associated with Middle East tensions, South Asia-related intrusion attempts, and North Korean IT worker fraud schemes. Tactics included distributed denial-of-service attacks, website defacements, and data breaches targeting government and critical infrastructure systems.

Industry-specific analysis highlighted manufacturing as the most targeted sector due to operational technology dependencies and low tolerance for downtime. Construction organizations were targeted for time-sensitive projects, while professional services firms were affected due to access to client data. Healthcare organizations continued to face frequent attacks, and IT service providers were targeted as entry points for broader supply chain compromise.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!