Ransomware boom shows no signs of slowing down in the world

The year 2025 has confirmed the worst fears of digital security experts: the ransomware epidemic continues to expand, with no signs of cooling.In the first months of 2025, the global volume of ransomware attacks took an impressive leap with an increase of 126% compared to the previous year, according to SonicWall data.Between January and June, 4,198 cases of attacks were exposed on dark web forums, almost 50% above the recorded in the same period of 2024.

Criminals are profiting from and reinvesting in these digital offensives, making them increasingly frequent and sophisticated. Despite affecting organizations of all sizes, some sectors and company profiles have suffered more intensely. The impacts have been compounded by the difficulty of protecting geographically distributed operations and the persistence of legacy systems without security fixes.

In addition, small and medium-sized enterprises are not left unscathed: organizations between 50 and 200 employees have led the statistics worldwide. Studies indicate that this vulnerability of medium-sized enterprises is due, in part, to dependence on third-party IT vendors and the lack of comprehensive cybersecurity measures.

Global escalation and most active groups of 2025

Amid this global wave of attacks, some ransomware groups stand out for their aggressiveness and volume of incidents caused. In the second quarter of 2025, for example, three gangs topped the ranking of criminal activity: the Qilin group was responsible for 214 attacks in the period, closely followed by SafePay (with 201 incidents) and Akira (200 attacks). These relatively new names join the ranks of the already known digital crime conglomerates.

Veteran groups like LockBit 3.0, BlackCat (ALPHV) and Cl0p remain among the most feared and active in the world (just to have an idea, only LockBit has been attributed to more than 1,400 attacks in the first three months of 2025. This large-scale operation capability makes LockBit and the like a ubiquitous threat on several continents. The United States continues to lead in number of victims, concentrating about half of cases reported worldwide in early 2025.

But the performance of these groups is truly global: companies in Europe, Asia and other regions are also in the crosshairs, including less prepared emerging markets. In practice, criminals target where there is money and vulnerabilities. Critical sectors such as industries, financial services, health and even education have already been hit by different ransomware variants. In Brazil and Latin America the scenario is no different, with attacks paralyzing from factories to government agencies. For the victim organizations, the loss goes far beyond the financial rescue: there is interruption of essential operations, loss of sensitive data and potentially devastating reputational damages.

Latin America in the crosshairs: critical sectors and strategic responses

If one still sees Latin America as a supporting player in the cyberthreat landscape, recent numbers are trying to undo this misconception. The region has become a strategic target for both financial gangs and other malicious actors. According to CrowdStrike's report, ransomware attacks have grown by 15% in Latin America over the last year, with emphasis on incidence in Brazil, Mexico and Argentina. Brazil, in particular, is the country most targeted by cybercriminals in the region, not only leading in the number of incidents, but also in the volume of stolen data exposed in dark web leaks.

A SonicWall survey reinforces this scenario: Latin America presented the largest proportional increase in ransomware attacks in 2025, with Brazil registering more than 4 thousand attacks in the first quarter of the year alone.In February 2025, the country reached a historic peak, with more than 960 ransomware attacks in a single month.

These statistics highlight that the region has definitely entered the crosshairs of global ransomware groups. Several factors explain this trend.Heterogeneous digital infrastructure, still low maturity in security governance and even evolving laws make many Latin American countries vulnerable targets, in the expert assessment.

For criminals, markets like Brazil offer a great cost-benefit of crime: the chances of success are high and, often, the ransom amounts paid locally can approach those practiced in richer countries. With this, there is a migration of the focus of attacks: gangs that previously targeted primarily Europe or the US now expanded their campaigns to Latin America.

Reports indicate that industry, government, agriculture, energy and retail are among the preferred targets of attacks in the region.In other words, both essential infrastructure, public services and strategic businesses have suffered interruptions and data leaks.

In this scenario, the reality is clear: there is no more room for improvisation or neglect. Latin American companies need to abandon the reactive stance, assuming a proactive and integrated strategy that combines robust technology, rigorous processes and constant awareness of teams. Ransomware attacks will not disappear soon, and those who delay to react will likely face larger and more frequent crises.

It is now up to business leaders to recognize that cybersecurity is no longer just a technological challenge, but a matter of strategic survival for business. Investing in sound preventative measures, strengthening response plans, and prioritizing digital security as a fundamental pillar is the only viable path to protecting business continuity.

The issue is no longer “” an organization will be attacked, but rather “when”. Therefore, being one step ahead of criminals, with an assertive and defensive posture, will be the differential between companies that will succumb to attacks and those that will thrive, even in the face of the constant threat of ransomware.