Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo
Dive Brief

Ransomware attacks grew in 2025 as traditional data breaches fell

In a new report, Bitsight charted a massive surge in internet-exposed AI services.

Published June 24, 2026
Eric Geller's headshot
Senior Reporter
Creative image depicting a ransomware attack.
Getty Images

Dive Brief:

  • The number of ransomware attacks that hackers claimed on dark-web leak sites rose by nearly one-fifth in 2025, to 6,883, while the total number of leak sites increased by roughly one-third, to 115, the security firm Bitsight said in its annual “State of the Underground” report.
  • Ten groups — five of them associated with Russia — were responsible for roughly 58% of attacks, according to the report, suggesting a remarkable concentration of activity.
  • Roughly 60% of ransomware victims were in the U.S., with the manufacturing sector topping the list.

Dive Insight:

While ransomware attacks surged, traditional data breaches fell by 41% in 2025 compared with the previous year. Bitsight cautioned, however, that the decline was likely the result of reporting gaps and evolving threat-actor behavior rather than a reduction in risk.

“Attacker focus shifted toward domino-effect targets, including critical infrastructure and defense, government, and utilities,” researchers wrote.

Educational institutions experienced the most data breaches in 2025, with 505, followed by government (475) and IT (469). That represented a significant shift from 2024, when IT topped the list, with 1,210 breaches.

The data-breach landscape in 2025 was “less dominated by a single sector and more distributed across industries with personally identifiable information (PII) and operational and supply chain importance,” Bitsight said in its report.

As AI tools have become a more useful tool for defenders, they have also become increasingly valuable to hackers. On the cybercrime forums and Telegram channels that Bitsight monitors, the company tracked 5.1 million mentions of Google’s Gemini platform, 1.4 million mentions of OpenAI’s ChatGPT service, 656,000 mentions of Anthropic’s Claude tool and 697,000 mentions of xAI’s Grok chatbot.

Misconfigured and poorly secured AI platforms also represent weak spots in businesses’ networks. The number of publicly exposed AI tools increased by 360% in 2025, to more than one million, led by instances of n8n and Open WebUI, both of which have had serious vulnerabilities.

Hackers’ increased use of AI tools and businesses’ increased use of vulnerable AI services mean that security teams can’t rely on old strategies, Bitsight said.

“As the window between vulnerability, discovery, and exploitation shrinks, prioritization will play a larger role as both defenders and threat actors learn how to leverage AI for their needs,” researchers wrote. “We are no longer in an era where critical vulnerabilities can be patched on a schedule.”

Editors' picks

Company Announcements

View all | Post a press release
Optery Releases 2026 Enterprise Social Engineering Survey Report
From Optery
June 23, 2026
Optery logo
Strategic hires strengthen financial operations and go-to-market execution as Courser helps SM…
From Courser
June 23, 2026
Courser logo
Blackpoint Cyber Appoints Former CIA Operations Officer to Lead Adversary Pursuit Group
From Blackpoint Cyber
June 16, 2026
Blackpoint Cyber logo
AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era
From AppViewX
June 16, 2026
AppViewX logo
Editors' picks
Latest in Breaches
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell