The New Global Map of Ransomware

Ransomware has entered a new phase of expansion. This is the central conclusion of the latest Global Threats Review report for the second half of 2025. In this phase, geographical boundaries and traditional attack patterns are rapidly changing.

According to the report published by CyberCube, attackers are no longer focused solely on well-known regions or industries. This shift has made it increasingly difficult for cybersecurity managers and decision-makers to predict the next hotspots of threat activity.

In this study, researchers examined incident patterns, risk levels across different industries, and the behavior of threat groups to identify the trajectory of ransomware expansion and future high-risk areas. The findings indicate that the growth of attacks has accelerated, particularly in markets that previously experienced lower levels of cyber threats. Attackers are increasingly targeting environments with weaker defenses or slower implementation of security controls.

The continued activity of well-known ransomware groups has also played a significant role in this trend. Among them, the LockBit group remains particularly active. Its operations across multiple countries have coincided with increased risk levels, especially within public sector organizations. The CyberCube report shows that this overlap is clearly observable in several regions worldwide.

From an industry perspective, the disparities are substantial. A comparison of cybersecurity postures across sectors reveals that some industries benefit from stronger infrastructure and better cyber hygiene, while others exhibit more frequent warning signs, such as open ports, unpatched software, and exposed remote access services. However, the report emphasizes that even within a single industry, organizations cannot be assumed to have the same level of cyber resilience.

The public sector is a key focus of the report. According to the data, 53 percent of state and local government entities worldwide fall into the high-risk category for LockBit attacks, placing this sector among the most vulnerable overall. Variations in security maturity and inconsistencies in the implementation of controls continue to make these organizations attractive targets for attackers.

Further analysis shows that a portion of public sector organizations face both high threat exposure and weak security postures simultaneously—a combination that closely aligns with attackers’ target selection criteria. By contrast, other organizations, while still highly exposed, benefit from stronger security controls that reduce the likelihood of a successful ransomware attack.

Overall, the report underscores the importance of paying close attention to early indicators of changing threat behavior—signals that may point to rising ransomware activity in specific regions or industries. Increasing security weaknesses, delays in patching, and an expanding attack surface remain key drivers of this threat. Continuous monitoring of these factors is essential for effective defensive responses in the months ahead.