Frontline Insights - Ransomware Q3 2025 Report

Frontline Insights - Ransomware Q3 2025 Report Excerpt:

In Q3-2025, ransomware activity settled into a lower baseline following the Q1 spike. Q1 peaked at 2,132 events (driven by February’s 939), before stepping down through Q2 to 1,437 total (April–June: 545 → 464 → 428). Q3 then edged lower to 1,405 (July–September: 489 → 455 → 461), a modest −2.2% quarter-on-quarter softening that suggests stabilisation rather than a fresh downturn. The pattern is consistent with a potentially post-disruption recalibration where major crews are retooling, and affiliates consolidating after fragmentation. At the same time, ransomware operators have grown increasingly selective, strategically focusing on targeted, higher-leverage intrusions that prioritise data-theft-first extortion over broad, indiscriminate attacks. This shift reflects a calculated approach, where attackers carefully choose victims based on their potential for maximum disruption and financial yield. Sectors such as healthcare, financial services and critical infrastructure, remain prime targets due to their acute sensitivity to downtime, stringent regulatory obligations, and heightened exposure to reputational damage. 

This document will cover:

• TLDR

• Overview

• Ransomware Operations Q3-2025

• Targeted Sectors

• Manufacturing & Industrial Products

• Professional Services

• Engineering & Construction

• Consumer and Retail

• Healthcare & Life Sciences

• Financial Services

• Technology

• Transport & Logistics

• Education

• Travel & Leisure

• Closing Remark

Authors:

• Evan Vougdis - Head of Cyber Intelligence and Response of NSB Cyber

• Dimitri Dubuc - Cyber Analyst of NSB Cyber