Threat ActorsThe Game2025 RecapTrends
CyberPrism Logo

CyberPrism.App

Illuminating vulnerabilities from every angle

State of Cyber 2025–2026

One year of continuous data collection. Every publicly claimed ransomware attack, every CISA KEV addition, every major breach, and every attributed threat actor — tracked, analyzed, and visualized.

8,099
Ransomware Attacks
294
New KEVs in 2025
3.88B
Accounts Breached
72
Threat Actors Mapped

Source: CyberPrism production database. Ransomware: real-time collection via ransomware.live (Mar 2025–Mar 2026). KEV: full CISA catalog enriched with AI analysis; monthly charts show 2025+ additions only. Breaches: RSS feeds and HIBP (seeded May 2025, includes some backfill). Threat actors: cumulative from public threat intelligence.

Ransomware — 8,099 Incidents

Attacks escalated through 2025. Q4 averaged 815 attacks per month versus Q2's 550 — a 48% increase. Qilin grew 10x in 9 months to become the dominant group. Clop returned from a 6-month dormancy with mass exploitation of Oracle E-Business Suite (CVE-2025-61882). TheGentlemen emerged from zero to the fastest-growing group by Q1 2026.

Monthly Ransomware Volume

Mar 25Apr 25May 25Jun 25Jul 25Aug 25Sep 25Oct 25Nov 25Dec 25Jan 26Feb 260100200300400500600700800900

Top 10 Ransomware Groups

02004006008001.0K1.2KQilinAkiraINC RansomPlaySafePaySinobiDragonForceClopLynxTheGentlemen
Qilin
Akira
INC Ransom
Play
SafePay
Sinobi
DragonForce
Clop
Lynx
TheGentlemen

Targeted Sectors

02004006008001.0KManufacturingTechnologyHealthcareRetail & ConsumerFinancial ServicesConstructionLegal & ProfessionalEducationGovernmentTransportation
Manufacturing
Technology
Healthcare
Retail & Consumer
Financial Services
Construction
Legal & Professional
Education
Government
Transportation

Top 15 Targeted Countries

05001.0K1.5K2.0K2.5K3.0K3.5KUnited StatesGermanyCanadaUnited KingdomFranceItalySpainBrazilIndiaJapanAustraliaMexicoTaiwanSwitzerlandThailand
United States
Germany
Canada
United Kingdom
France
Italy
Spain
Brazil
India
Japan
Australia
Mexico
Taiwan
Switzerland
Thailand

Day-of-Week Pattern

MonTueWedThuFriSatSun02004006008001,0001,2001,4001,600

40% of ransomware incidents have infostealer involvement — stolen credentials are the dominant initial access vector. The ransomware → infostealer → breach pipeline is circular and self-reinforcing.

CISA Known Exploited Vulnerabilities — 294 Added in 2025

CISA's KEV catalog grew 20% in 2025, from 1,239 to 1,533 entries (245 in 2025, 49 more in Q1 2026). Microsoft alone accounts for nearly 1 in 4 actively exploited vulnerabilities across the full catalog. Vendor rankings reflect the complete KEV catalog (since 2021), not just 2025 additions.

Monthly KEV Additions (2025–2026)

Jan 25Feb 25Mar 25Apr 25May 25Jun 25Jul 25Aug 25Sep 25Oct 25Nov 25Dec 25Jan 26Feb 2605101520253035

Top Vendors in KEV (Full Catalog)

0100200300400MicrosoftAppleCiscoAdobeGoogleOracleApacheIvantiVMwareD-LinkFortinetLinux
Microsoft
Apple
Cisco
Adobe
Google
Oracle
Apache
Ivanti
VMware
D-Link
Fortinet
Linux

CVE Age When Added to KEV (2025+ additions)

Same Year1 Year Old2–5 Years5+ Years020406080100120140160180

60% of newly added KEVs are from the current year — but 10% are 5+ years old. Attackers don't need zero-days when legacy systems remain unpatched.

Data Breaches — 98 Breaches, 3.88 Billion Accounts

CyberPrism's breach database was seeded in May 2025, backfilling some historical entries alongside new disclosures. The mean breach size is 40.8 million accounts, but the median is just 690K — extreme skew from a handful of billion-record stealer log compilations. Stealer log dumps dominate the top spots, while traditional corporate breaches (Under Armour, Canadian Tire, Coupang) cluster in the 10M–70M range.

Top 15 Breaches by Affected Accounts (Log Scale)

1M10M100M1.0B10BSynthient Credential StuffingIDMeritALIEN TXTBASE Stealer LogsSynthient Stealer LogsData Troll Stealer LogsUnder ArmourCanadian TireCoupangSoundCloudProsperOperation Endgame 2.0FreeCarGurusStorenvyRaaga
Synthient Credential Stuffing
IDMerit
ALIEN TXTBASE Stealer Logs
Synthient Stealer Logs
Data Troll Stealer Logs
Under Armour
Canadian Tire
Coupang
SoundCloud
Prosper
Operation Endgame 2.0
Free
CarGurus
Storenvy
Raaga

Most Commonly Exposed Data Types

020406080100Physical AddressesEmail AddressesPhone NumbersPasswordsIP AddressesUsernamesPersonal InfoDates of BirthGeolocationCredit CardsSocial SecurityHealth Records
Physical Addresses
Email Addresses
Phone Numbers
Passwords
IP Addresses
Usernames
Personal Info
Dates of Birth
Geolocation
Credit Cards
Social Security
Health Records

Nearly every breach exposes email and physical addresses. Passwords are exposed in over a third. Financial data (credit cards, SSN) is rarer but devastating when present.

Threat Actors — 72 Mapped, 504 Referenced

CyberPrism's threat actor database is enriched from threat intelligence feeds and public reporting — these are cumulative figures, not limited to 2025 activity. China accounts for over half of all attributed threat actors — more than Russia, North Korea, and Iran combined. The “Big Four” account for 93% of all attributed actors. Notably, Intellexa (commercial spyware) ties Seashell Blizzard (Russia/GRU) for the most CVEs exploited.

Threat Actor Origin Countries

53%17%14%9%96attributed
China (51)
Russia (16)
North Korea (13)
Iran (9)
Israel (2)
Türkiye (2)
Others (3)

Top CVE Exploiters

051015Seashell BlizzardIntellexaUNC6353Silk TyphoonUNC6691GRU Unit 74455Ghost RansomwareWARP PANDAUNC5221Black BastaPlay RansomwareForest Blizzard
Seashell Blizzard
Intellexa
UNC6353
Silk Typhoon
UNC6691
GRU Unit 74455
Ghost Ransomware
WARP PANDA
UNC5221
Black Basta
Play Ransomware
Forest Blizzard

Commercial spyware (Intellexa/Predator) is as prolific as nation-state actors in CVE exploitation. Mercenary spyware is no longer a niche concern — it's a top-tier threat.

Cross-Domain Insights

Ransomware + Infostealers

40% of ransomware incidents have infostealer involvement. Combined with 36% of breaches exposing passwords, stolen credentials are the dominant initial access vector. The pipeline is circular and self-reinforcing.

Manufacturing Under Siege

Manufacturing is #1 in ransomware targeting (943 attacks) and #4 in threat actor targeting. High revenue, low security maturity, and OT dependence make it the preferred target for financially motivated attackers.

The Long Tail of Vulnerabilities

10% of 2025's KEV additions were for vulnerabilities 5+ years old. Attackers don't need zero-days when legacy systems remain unpatched. The KEV catalog is as much about historical debt as current threats.

China's Scale Advantage

With 51 attributed threat actors — more than Russia, North Korea, and Iran combined — China operates the largest known state-sponsored cyber capability. Their targeting of Government, Defense, and Technology aligns with strategic intelligence priorities.

Track threats in real-time

CyberPrism delivers personalized vulnerability intelligence, threat actor tracking, and breach monitoring — tailored to your tech stack.

Download on the App StoreGet it on Google Play