story

7,655 Ransomware Claims in One Year: Group, Sector, and Country Breakdown (opens in new tab)

ciphercue.com

61 pointsadulion1mo ago14 comments

14 comments

> 141 countries appeared in the dataset. US organisations are the most frequent targets at 40%, but the remaining 60% spans six continents. European subsidiaries, APAC operations, and Latin American offices are all represented

Love how this subtly implies that only the US has independent companies, every other region just has subsidiaries and branch offices of US companies

ninalanyon1mo ago

You could also read it as saying that it's only companies that are ultimately US owned that are affected :-)

jstanley1mo ago

> Of 129 active groups, the top five posted 3,027 of the 7,655 claims (40%). After them, the field fragments quickly.

Does it?

The 4th group accounted for 5.0%, 5th was 4.5%, 6th was 3.4% and 10th was 2.5%, I think it doesn't fragment particularly any more quickly after the top 5 than within the top 5.

Is this LLM analysis?

thes1lv3r1mo ago

They don't mention it explicitly on the website that I could find, but the product goals and stated functionality lean heavily in the LLM direction.

The text also reads very LLM-like, so I'd say yes.

wongarsu1mo ago

Always a bit harder to tell with marketing pieces because both LLMs and marketing love certain patterns and heavily lean on saying things that seem meaningful but are actually non-sequiturs.

But I agree that this seems at least LLM-assisted

rawgabbit1mo ago

And as an industry, we claim we are completely helpless against ransomware. We create all kinds of organizations and alliances such as FIDO and ICANN. Against ransomware, complete silence.

elevation1mo ago

Ransomware as most people imagine it is a solved problem. After a close call, my employer invested in ZFS-backed storage. Our recovery time for recovery from accidental deletion went from "days of copying from offsite backups" to just minutes.

The only problem is when people build storage on ancient filesystems that don't support low-cost snapshots.

elevation1mo ago

> as most people imagine it

Which is to say, a conventional ransom: "pay us to restore your un-backed-up files".

But if the attacker has already exfiltrated your files to machines you don't control, and the ransom is "pay or we'll publish", then you'll need more than a modern filesystem to prevent this.

rawgabbit1mo ago

We are seeing coordinated attacks where multiple systems have been compromised. It is not a simple restore from backup because they have stolen admin credentials and can repeatedly wreck the kludge of modern and legacy systems most companies deal with. For example, UMMC hospitals lost access to their Epic system, phone lines, and email.

https://www.comparitech.com/news/cybercriminals-say-they-hac...

giancarlostoro1mo ago

I think it will only get worse, as skiddies get access to LLMs. The number of mainstream maintainers being hacked is quite alarming.

iririririr1mo ago

this is a great representation of how clueless the security industry is.

the made up dimensions on this analysis are great for tech illiterate middle managers. while anyone with a brain known that script kiddies just execute a vuln scanner and only care to filter .mil and .ru targets. what country or industry? please. they barely will look at the country to give a discount on the ransom if it's too poor.

you can make the case that certain industries buy more irresponsible tech ptoducts as a whole, but it's mostly irrelevant to read into the attackers.

the whole tech industry security is made up exclusively of blame shifting.

jpfromlondon1mo ago

>tech illiterate middle managers

Why they're the very fellows signing the cheques to the:

>clueless ... security industry

gebalamariusz1mo ago

The 40% acceleration in the second half is the number that jumps out. That is not just "more groups", something changed operationally in the ecosystem around September 2025.

SafePay dominating Germany with 72 claims is worth watching. Most ransomware analysis focuses on US-heavy groups, but a group concentrating on a single non-US market suggests either language capability, specific supply chain access, or targeting of regulatory environments where disclosure pressure increases payment rates. Germany's strict GDPR enforcement could make the threat of a leak more effective than in markets where fines are lower.

The 35% of claims with no sector attribution is a significant gap. If those ~2700 unattributed claims skew toward smaller organizations without public sector classification, the actual concentration in SMB targets could be much higher than the data shows.

The point about ecosystem resilience is the most important takeaway for defenders. 129 active groups means the threat model is not "prevent group X" but "assume breach and limit blast radius." That shifts investment from detection toward segmentation, backup isolation, and recovery speed.

grosswait1mo ago

This not a helpful (nor human) comment despite all the words

j / k navigate · click thread line to collapse

14 comments

wongarsu1mo ago

Love how this subtly implies that only the US has independent companies, every other region just has subsidiaries and branch offices of US companies

ninalanyon1mo ago

You could also read it as saying that it's only companies that are ultimately US owned that are affected :-)

jstanley1mo ago

> Of 129 active groups, the top five posted 3,027 of the 7,655 claims (40%). After them, the field fragments quickly.

Does it?

The 4th group accounted for 5.0%, 5th was 4.5%, 6th was 3.4% and 10th was 2.5%, I think it doesn't fragment particularly any more quickly after the top 5 than within the top 5.

Is this LLM analysis?

thes1lv3r1mo ago

They don't mention it explicitly on the website that I could find, but the product goals and stated functionality lean heavily in the LLM direction.

The text also reads very LLM-like, so I'd say yes.

wongarsu1mo ago

Always a bit harder to tell with marketing pieces because both LLMs and marketing love certain patterns and heavily lean on saying things that seem meaningful but are actually non-sequiturs.

But I agree that this seems at least LLM-assisted

rawgabbit1mo ago

And as an industry, we claim we are completely helpless against ransomware. We create all kinds of organizations and alliances such as FIDO and ICANN. Against ransomware, complete silence.

elevation1mo ago

The only problem is when people build storage on ancient filesystems that don't support low-cost snapshots.

elevation1mo ago

> as most people imagine it

Which is to say, a conventional ransom: "pay us to restore your un-backed-up files".

But if the attacker has already exfiltrated your files to machines you don't control, and the ransom is "pay or we'll publish", then you'll need more than a modern filesystem to prevent this.

rawgabbit1mo ago

https://www.comparitech.com/news/cybercriminals-say-they-hac...

giancarlostoro1mo ago

I think it will only get worse, as skiddies get access to LLMs. The number of mainstream maintainers being hacked is quite alarming.

iririririr1mo ago

this is a great representation of how clueless the security industry is.

you can make the case that certain industries buy more irresponsible tech ptoducts as a whole, but it's mostly irrelevant to read into the attackers.

the whole tech industry security is made up exclusively of blame shifting.

jpfromlondon1mo ago

>tech illiterate middle managers

Why they're the very fellows signing the cheques to the:

>clueless ... security industry

gebalamariusz1mo ago

The 40% acceleration in the second half is the number that jumps out. That is not just "more groups", something changed operationally in the ecosystem around September 2025.

grosswait1mo ago

This not a helpful (nor human) comment despite all the words

j / k navigate · click thread line to collapse