Ransomware attacks in Q2 of 2025 diminished by 23% compared to the last quarter, but they are 43% higher compared to this time in 2024, with the drop only partly the result of typical seasonal changes. In quarter 2 of 2025, there were 1,591 new ransomware attack victims listed on data leak sites, at about 17.5 per day, compared to 22.9 per day in quarter 1 of 2025.
In 2024, a key player in the malware ecosystem known as Alphv/BlackCat stopped, law enforcement took down LockBit, and the RansomHub operation was significantly disrupted. All these things led to the division of the ransomware ecosystem. Because there are more small groups in 2025, they could easily operate without being noticed by law enforcement.
Q2 of 2024 had 41 active ransomware groups, while Q2 of 2025 had 71, as reported in the quarterly Ransomware & Cyber Threat Report published by the GuidePoint Research and Intelligence Team (GRIT). The year-over-year increase in active ransomware groups is 45%.
In Q2 of 2025, ransomware groups conducted 52% of attacks on the United States. Other countries targeted by ransomware groups include the United Kingdom, Canada, and Germany. Healthcare institutions, , including HIPAA-covered entities, are still appealing targets for ransomware groups, but they are now the 5th on the list of targeted sectors following manufacturing, technology, construction, and legal services. This is partly because some groups focus their attacks on other industries. The IncRansom, Qilin, and Everest ransomware groups prefer the healthcare industry as their targets.
The most active ransomware group in Q2 of 2025 was Qilin, with over 200 attacks launched. Qilin’s attacks are twice the number of attacks conducted by Akira, Play, and SafePay. Although Akira and Play also target the healthcare industry, they prefer attacking other industries. The DragonForce cartel was the fifth most active ransomware group, which tried an aggressive takeover of RansomHub. Its policy is not to attack critical infrastructure. DragonForce did not carry out the number of attacks as expected, considering its aggressive recruitment approach and efforts to control the ransomware ecosystem.
Principal Threat Intelligence Analyst Justin Timothy of GuidePoint Security stated that there is a reshuffling in the ransomware ecosystem. Despite the disruption of key RaaS players, overall threat capacity did not reduce, just redistributed. Affiliate operations regrouped, and many continued their operations employing recycled resources, so it is likely to see familiar tactics under new names in the second half of the year.
There has been a trend of increasing coercive strategies with ransomware groups, which include calling company workers over the phone, fax, SMS, and email, and even those whose personal information was stolen. The goal is to put pressure on the victims to negotiate or give a ransom payment, though these tactics are usually not efficient. As per GRIT, these strategies usually have the opposite impact and make ransom payment less likely, because ransomware groups are looked at as untrustworthy.
Although it is good that ransomware attacks decreased, GRIT thinks it is just a brief drop, and that attacks will probably increase again after the summer, particularly if a key ransomware-as-a-service group comes forth to take the place of RansomHub, which seems to have encountered an unexpected death in March 2025. GRIT suggests there was no obvious alternate group for its affiliates, though GRIT thinks a new key player will eventually come out to catch the vacant market share.
Image credit: Prasanth, AdobeStock / logo©GRIT
