The report summarizes December 2025 ransomware activity, providing DLS-based victim counts, ransomware sample statistics (based on AhnLab diagnostic names), and trend data for top groups and affected industries. It notes a changed aggregation method for victim counts starting December 2025 and highlights active operations by groups such as Qilin and LockBit 5.0 targeting critical infrastructure sectors including manufacturing, healthcare, and finance. #Qilin #LockBit5_0
Keypoints
- Statistics are derived from AhnLab diagnostic names for ransomware samples and from Dedicated Leak Sites (DLS) collected by the ATIP infrastructure for affected companies.
- The aggregation method for ransomware victim organization statistics was updated beginning with the December 2025 reporting period, so direct comparisons to earlier monthly reports may be misleading.
- The report provides four main statistics: top 10 countries by ransomware group, industries of affected companies (December 2025), a 3-year trend of the top 10 ransomware groups, and 3-year DLS and detection statistics.
- Ransomware groups launched attacks across various industries worldwide in December 2025, with notable hits against critical infrastructure sectors such as manufacturing, healthcare, and finance.
- Both new ransomware groups and established groups (e.g., Qilin, LockBit 5.0, Everest) remained active, and the report tracks their trends and regional impacts.
- The AhnLab SEcurity intelligence Center (ASEC) blog publishes the βRansomware Detections and Statistics (Past 3 Years)β trend, while additional statistics are available in the AhnLab TIP report attachment.
MITRE Techniques
- [None ] No MITRE ATT&CK techniques are explicitly mentioned in the article β βThe article does not reference specific ATT&CK techniques.β
Indicators of Compromise
- [None ] The article does not list any specific IOCs such as IP addresses, domains, file names, or hashes β none provided.
Read more: https://asec.ahnlab.com/en/92139/