Ransomware attacks surged 35% in Q1 2025 compared to Q4 2024, with over 2,200 victims listed on leak sites.
The number of active ransomware groups grew to 70, a 55.5% YoY increase.
Phishing remains the top ransomware delivery vector, accounting for 45% of attacks.
Healthcare remains the most targeted industry, with millions of patient records compromised.
Global cybercrime costs are forecast to reach $10.5 trillion in 2025.
Introduction
Cybercrime is already increasing at a never-before-seen rate in the first half of 2025. These past six months have demonstrated the importance of staying informed, from ransomware incidents that set records to phishing schemes that take advantage of new technologies.
This report compiles the most important cybersecurity statistics across Q1 and Q2 2025 to help you:
Understand how attack methods are evolving
Benchmark your organization’s readiness
Make data-driven decisions to improve defenses
Below, you’ll find key trends, charts, and downloadable resources you can use in presentations, security briefings, or budget justifications.
1. Quarterly Ransomware Attack Volume
Ransomware remains the fastest-growing threat in 2025. The first quarter alone saw more victims listed on leak sites than in any previous quarter on record.
Key Data:
Q1 2025: 2,063 ransomware victims
Leak site counts climbed 35% over Q4 2024
Clop, Akira, and LockBit were the most active groups
Ransomware Victim Count by Quarter (Q4 2024 vs. Q1 2025)
What This Means: This increase is a result of both an increase in the frequency of attacks and the growing confidence of attackers to extort victims by publishing stolen data.
2. The Expanding Ransomware Ecosystem
More groups are joining the ransomware market than ever before.
Key Data:
170 active ransomware groups were tracked in Q1 2025.
That’s a 16.7% increase over Q4 2024 and a 55.5% increase year-over-year.
Number of Active Ransomware Groups Over Time
What This Means: With so many groups active, each using different tactics, a one-size-fits-all defense strategy is no longer sufficient.
3. Attack Frequency & Breach Records
Cyber attacks are occurring with near-continuous frequency.
Key Data:
Globally, an attack happens every 39 seconds, totalling about 2,200 per day.
Q1 2025 saw a 186% increase in breached records.
Fake update scams increased 1,700% over Q4 2024.
Attack Frequency & Record Breaches
Attack Frequency Snapshot
Metric
Value
Attacks per Day
2,200
Attacks per Hour
~91.6
Attacks per Minute
~1.5
Attack Interval
Every 39 seconds
What This Means: Cybercrime is no longer sporadic—it is a constant operational threat requiring persistent vigilance.
4. Phishing & Vishing: Social Engineering Surges
Human error remains the most exploited vulnerability.
Key Data:
45% of ransomware attacks began with phishing.
Vishing incidents (voice phishing) increased 1,633% over Q4 2024.
What This Means: Even sophisticated security tools can be undermined by social engineering. Ongoing employee education is non-negotiable.
5. The Cost of Cybercrime
Cybercrime is one of the most lucrative underground economies in history.
Key Data:
Estimated global cost in 2025: $10.5 trillion.
Projected to reach $23 trillion by 2027.
Average cost per data breach: $4.88 million.
Cybercrime Cost Estimates
What This Means: Cybersecurity is not an expense—it is a core business continuity investment.
6. Industry Spotlight: Healthcare Breaches
Healthcare remains a top target for ransomware and data theft.
Key Data:
934,326 patient records were stolen in the Frederick Health ransomware incident.
In April 2025 alone, Yale Health, DaVita, and Blue Shield of California breaches affected nearly 5 million individuals
Healthcare Breach Volume
What This Means: Healthcare providers must balance patient care with strict data protection measures or risk catastrophic exposure.
7. Emerging Threats in 2025
Attackers are evolving their methods faster than many defenders can adapt.
AI-powered malware automates reconnaissance and exploitation.
Deepfake phishing is becoming a tool for high-value executive impersonation.
Supply chain attacks continue to ripple through entire industries.
What This Means: Traditional perimeter security is obsolete. Organisations need layered, adaptive defenses and strong third-party risk controls.
Conclusion
Data from the first half of 2025 supports the suspicions of many in the industry that cybercrime is increasing in volume and sophistication.
Our incident response team at Bluefire Redteam are witnessing firsthand how phishing crews and ransomware operators are changing their strategies at a rate that is difficult for many organisations to keep up with. Businesses are currently dealing with the reality of deepfake social engineering and AI-powered malware.
Our perspective is clear:
If your organization is not continuously testing your defenses, updating playbooks, and actively training employees, you are already behind the curve.
Checkbox compliance and yearly security reviews are no longer sufficient. Today’s most resilient businesses view cybersecurity as an operational discipline rather than an IT project.
Bluefire Redteam strongly recommends:
To test your incident response skills in real-world scenarios, conduct regular tabletop exercises.
Confirming the immutability and segregation of backups.
Reviewing supply chain risks, especially in relation to managed service providers and SaaS.
To reduce confusion during an incident, clear internal communications plans should be prepared.
If you aren’t confident that your organisation could detect and respond to the threats outlined in this report, now is the time to act.
Bluefire Redteam can assist you in evaluating your preparedness, putting in place tested security measures, and creating a resilient culture.
