The 40% acceleration in the second half is the number that jumps out. That is not just "more groups", something changed operationally in the ecosystem around September 2025.

SafePay dominating Germany with 72 claims is worth watching. Most ransomware analysis focuses on US-heavy groups, but a group concentrating on a single non-US market suggests either language capability, specific supply chain access, or targeting of regulatory environments where disclosure pressure increases payment rates. Germany's strict GDPR enforcement could make the threat of a leak more effective than in markets where fines are lower.

The 35% of claims with no sector attribution is a significant gap. If those ~2700 unattributed claims skew toward smaller organizations without public sector classification, the actual concentration in SMB targets could be much higher than the data shows.

The point about ecosystem resilience is the most important takeaway for defenders. 129 active groups means the threat model is not "prevent group X" but "assume breach and limit blast radius." That shifts investment from detection toward segmentation, backup isolation, and recovery speed.

This not a helpful (nor human) comment despite all the words