According to new research from KELA, 21% of all global ransomware activity this year was targeted towards the US, with Canada, Germany, the UK, and Italy rounding out the top five hardest hit countries.
This figure comes from KELA’s latest report, Escalating Ransomware Threats to National Security, which examines the scope and impact of ransomware activity globally between January and September 2025.
In the report, KELA observes that 50% of attacks targeted critical infrastructure sectors such as manufacturing, healthcare, energy, transportation, and finance—representing a 34% year-on-year increase.
Of these industries, manufacturing saw the largest growth, with attacks increasing 61% YoY. This trend has also been reflected in IBM’s most recent X-Force Intelligence Index, as well as Microsoft’s latest Digital Defense Report. The report cites disruptions to Bridgestone Americas’ and Jaguar Land Rover’s productions, the latter of which prompted the UK government to provide a $2bn (£1.5bn) loan to support the company’s supply chain following a month-long shutdown.
The surge in attacks against critical infrastructure organizations suggests a shift in the motives of ransomware actors, who are moving from opportunistic crime to the systemic disruption of national security. However, it’s important to note that even those focused on data exfiltration and operational disruption likely have dual financial motives.
“Ransomware operations should be understood not solely as financially motivated attacks but also as tactical instruments, capable of disrupting victim operations while inflicting financial and reputational damage,” explains Lin Levi, Threat Intelligence Team Lead at KELA. “In critical industries, such disruptions can have national-level consequences, undermining essential operations and eroding public trust.”
“To protect critical services, governments and critical industry sectors must prioritize proactive preventative measures and maintain continuous real-time monitoring to detect and respond to cyber threats,” Levi adds.
KELA’s research also found that, out of 103 active ransomware groups, just five—Qilin, Clop, Akira, Play, and SafePay—were responsible for almost 25% of all observed incidents.
These actors, according to the report, all leverage Phishing-as-a-Service platforms, double-extortion tactics, and Ransomware-as-a-Service ecosystems, which have notoriously made ransomware a much more accessible and scalable enterprise in recent years. With that scalability, the industry is seeing organized cybercrime groups that are able to operate with the reach and coordination of nation state actors.
“For a long time, we’ve had the nation-state sponsored APT groups doing cyber espionage—sometimes cyber sabotage—, and then on the other end of the spectrum we have cyber criminals that are financially motivated,” Robert Lipovsky, Principal Threat Intelligence Researcher at ESET, told Expert Insights. “Many years ago, there used to be quite a clear distinction: the APTs were the sophisticated and advanced ones, and the cybercriminal were mass spreading, going after the low-hanging fruit. But today, that’s no longer the case. The financially motivated groups have learned from the more sophisticated APTs, and in many cases even surpass them.”
“With these boundaries between those motivations diminishing and overlapping, a lot of these attackers are going after smaller companies. So, SMBs are not ‘safe’ from those groups that maybe a decade or two ago didn’t really go after them.”
To secure themselves against the threat of ransomware, organizations should practice good cyber hygiene by implementing multi-factor authentication, backups, patch management, email security, and a strong endpoint detection and response solution.
