> Of 129 active groups, the top five posted 3,027 of the 7,655 claims (40%). After them, the field fragments quickly.

Does it?

The 4th group accounted for 5.0%, 5th was 4.5%, 6th was 3.4% and 10th was 2.5%, I think it doesn't fragment particularly any more quickly after the top 5 than within the top 5.

Is this LLM analysis?

The 40% acceleration in the second half is the number that jumps out. That is not just "more groups", something changed operationally in the ecosystem around September 2025.

SafePay dominating Germany with 72 claims is worth watching. Most ransomware analysis focuses on US-heavy groups, but a group concentrating on a single non-US market suggests either language capability, specific supply chain access, or targeting of regulatory environments where disclosure pressure increases payment rates. Germany's strict GDPR enforcement could make the threat of a leak more effective than in markets where fines are lower.

The 35% of claims with no sector attribution is a significant gap. If those ~2700 unattributed claims skew toward smaller organizations without public sector classification, the actual concentration in SMB targets could be much higher than the data shows.

The point about ecosystem resilience is the most important takeaway for defenders. 129 active groups means the threat model is not "prevent group X" but "assume breach and limit blast radius." That shifts investment from detection toward segmentation, backup isolation, and recovery speed.

> 141 countries appeared in the dataset. US organisations are the most frequent targets at 40%, but the remaining 60% spans six continents. European subsidiaries, APAC operations, and Latin American offices are all represented

Love how this subtly implies that only the US has independent companies, every other region just has subsidiaries and branch offices of US companies