2025 Ransomware Threat Landscape: Impact on Korean Enterprises
Overview and Background
The number of ransomware attacks has been increasing worldwide in recent years, and Korean companies are not exempt from this trend. The situation is particularly acute in Asia, where ransomware attacks have surged since 2023. This growing trend has prompted a need for a systematic analysis of the situation and the damage caused by these attacks.
This report is based on information posted on the dedicated leak sites (DLS) of ransomware groups. The analyzed data consists of the date of the attack, the title of the post on the DLS, the name of the ransomware group, the name of the victim company, and the industry to which the company belongs. Using this information, the report focuses on the trends of ransomware attacks against Korean companies and the damage caused by these attacks in each industry from November 2024 to October 2025.
This analysis took a comprehensive approach by including the overseas subsidiaries of large Korean corporations in the scope of “Korean corporations.” This was done in consideration of the fact that the damage caused by overseas subsidiaries in a global business environment directly affects the overall business continuity of the parent company.
Overview of the Analyzed Data
The data used in this report was collected from the DLS operated by the major ransomware groups. The analysis covers a total of 60 cases of ransomware attacks against Korean companies from November 2024 to October 2025, which were collected from the DLS and various media outlets. Each case includes the date of the attack, the name of the victim company, the name of the ransomware group, and the industry to which the company belongs.
The following criteria were applied to the data collection process. First, the scope of Korean companies included companies with headquarters in Korea and their overseas branches. This was based on the judgment that overseas branches are closely connected to the headquarters, and attacks against the branches ultimately lead to damage to the Korean companies. Second, the time of attack occurrence was based on the date when the threat actor first published the data leak site (DLS). Third, industries were categorized according to the first-tier classification of the Korean Standard Industrial Classification (KSIC).
However, the dataset has the following limitations. First, cases where attacks from small groups or cases where victims paid ransoms and the damage was not disclosed externally were excluded from the analysis. Second, while information on some attacks was voluntarily disclosed by the affected companies to the media outlets, it was difficult to determine the exact amount of damage or the attack methods. In particular, when the ransomware group claiming responsibility for the attack was not disclosed externally, it was marked as “unknown.” Third, when multiple attacks occurred against the same company, each attack was treated as an independent case.
Ransomware Attacks Against Korean Companies: Status and Analysis
1) Analysis of the Damage Status
(1) Number of Cases by Year
Ransomware attacks against Korean companies have been on the rise since 2021. The attacks have increased each year, with only one attack by the LockBit group being confirmed in 2021. However, this attack marked the beginning of a series of ransomware attacks against Korean companies. In 2022, three attacks occurred, one each by the Snatch, Hive, and Cuba groups.
The situation took a turn for the worse in 2023, with a total of 17 attacks occurring. Korean companies were targeted by various ransomware groups, including RA World, ALPHV (BlackCat), BianLian, and Akira. The trend continued in 2024, with a total of 16 attacks being launched by groups such as RansomHub, Underground, LockBit, Black Basta, and Space Bears.
A total of 56 attacks were recorded until October 31, 2025, making it the year with the highest number of attacks in the past five years. This year, various ransomware groups including Qilin, Gunra, and Black Shrantac have launched attacks. Other groups such as RansomHouse, Black Nevas, and INCRansom have also been actively attacking their targets.
Figure 1. Number of ransomware victims by year
(2) Number of Incidents by Month
Ransomware attacks against South Korea occurred between once and three times a year from 2021 to 2022. However, ransomware attacks have been occurring monthly between once and three times a month since 2023, showing a significant increase in attack frequency. Before 2023, major ransomware groups such as LockBit, Hive, and ALPHV (BlackCat) began to find it difficult to continue their activities due to increased pressure from law enforcement (LE) and internal conflicts. As a result, they began to target Asia, where it is relatively difficult to conduct investigations through international judicial cooperation. This trend led to an increase in ransomware attacks against South Korea as well. Since 2023, it has been confirmed that there have been cases where South Korea has been targeted with intensive attacks by specific ransomware groups, resulting in three to five attacks or more.
Figure 2. Monthly heatmap of ransomware damage
(3) Status of Emerging Ransomware Groups
Figure 3. Number of new ransomware groups emerged each month in 2024 and 2025
A total of 53 new ransomware groups were identified to have emerged from January 1 to October 31, 2025. In particular, a large number of ransomware groups appeared in March and May. This is attributed to the RansomHub ransomware group, which had shown explosive activities in 2024, suspending its operation in March 2025. As a result, its affiliated members dispersed, with some transforming into independent ransomware groups. Additionally, while 38 ransomware groups emerged from January to October 2024, 15 more groups were identified to have emerged during the same period in 2025, bringing the total to 53.
※ For more information, please refer to the attachment.
