S-RM observed a sharp increase in ransomware incidents across Asia in 2025. Last year, approximately 660 organisations across the region were named on ransomware leak sites, more than double the previous year (figure 1). Many additional incidents likely went undisclosed. In this article we look at the reasons behind this worrying trend and the main threat actors targeting the region.
Figure 1: Publicly disclosed ransomware victims in Asia
Source: ecrime.ch
Playing catch up
Rapid digitalisation underway across Asia has created extensive cyber vulnerabilities that threat actors can exploit. Even small businesses are adopting online infrastructure and cloud‑based services. This technological development has increased the pool of potential victims; most lack the cyber maturity to defend adequately against evolving ransomware tactics. Indeed, many organisations do not have sufficiently robust security controls, monitoring, or response capabilities appropriate for their technology stack and attack surface. This leaves significant gaps for threat actors to exploit.
At the same time, the introduction and enforcement of stricter privacy and data‑breach regulations across Asia has given threat actors additional leverage. Attackers now frequently threaten not only to encrypt data, but also to expose sensitive information in ways that could trigger regulatory penalties and serious reputational damage. This is familiar; we saw the same dynamic at work with the introduction of the GDPR in Europe and data privacy legislation across North America. While needed, new rules transform compliance obligations into a potential extortion lever.
Figure 2: Ransomware attacks by country in 2025
Source: ecrime.ch
Old actors, new actors
Qilin was the most active ransomware group targeting Asia-based organisations in 2025. This was no surprise; Qilin was the most prominent ransomware group globally last year, with a total of 1,153 publicly disclosed victims. So arguably, the story could have been worse: Asia represented only 9% of Qilin’s total victims. It may be more in 2026.
We also observed the appearance of new ransomware groups in 2025, who appear to specifically target organisations in Asia. The table below shows seven new groups who have all aggressively leaned into Asia:
| Threat actor | First seen | Total number of victims | Number of victims in Asia | Percentage of victims in Asia |
| Nightspire | March 2025 | 101 | 34 | 34% |
| Dire Wolf | May 2025 | 56 | 28 | 50% |
| Gentlemen | September 2025 | 77 | 24 | 31% |
| Crypto24 | April 2025 | 33 | 14 | 42% |
| WALocker | June 2025 | 19 | 8 | 42% |
| Gunra | April 2025 | 21 | 7 | 33% |
| Obscura | August 2025 | 19 | 6 | 32% |
Source: ecrime.ch
With approximately 660 publicly disclosed incidents in Asia in 2025, these seven groups, all of which appeared after March 2025, took considerable wallet share in the region – and a notably larger proportion, comparatively, to established players in the market. This portends a potentially dramatic escalation to changes already underway in the threat landscape for the region.
A collaborative market response
Old or new, targeting Asia or elsewhere, ransomware operators remain financially motivated. As cyber maturity, defensive capabilities, and recovery practices improve in developed cyber markets, attackers are expanding their hunting grounds. Returns on investment remain a primary consideration. More opportunities for the attackers, weaker defences, greater regulatory pressures, and expanded cyber insurance coverage all coincide to make Asia a highly attractive market for threat actors.
As more ransomware attacks are publicised and the general threat becomes better understood, companies are re-evaluating their risk exposure, driving new demand for cyber coverage and advisory support. We will start to see an increased demand for services and products to reduce, and transfer, this rapidly rising risk. However, small- and medium-size enterprises (SMEs) comprise the majority of businesses across Asia, including in major economic centres such as Singapore and Hong Kong, and often lack the resources required to invest in sophisticated cyber security controls.
We expect the ransomware threat facing Asia to intensify in 2026. Collaboration between cyber insurers, consultancies, technology providers, and local governments will be crucial to developing accessible security services, awareness initiatives, and innovative risk transfer mechanisms that address the unique challenges faced by businesses in the region.
Please contact S-RM if you would like to speak to one of our team.
.jpg?width=121&height=121&name=S-RM_Headshots_SESSION-2_LOW-RES_280323-1-95_websize%20(1).jpg)
