Ransomware attacks saw a substantial global decline of 43% in the second quarter of 2025 compared to the first quarter, with the total number of recorded incidents falling from 2074 to 1180. This marks the fourth consecutive month of decrease in claimed ransomware attacks, with June 2025 experiencing a 6% reduction from May, tallying 371 attacks. This slowdown follows a surge in attacks during Q1, which was fueled by aggressive campaigns from prominent groups like Clop, RansomHub, and Akira. The notable shift in the threat landscape suggests a significant disruption to the operations of these once-dominant ransomware entities.
A key factor contributing to this sharp decline is intensified law enforcement activity targeting major ransomware operators.
This includes actions that specifically disrupted affiliates of groups such as Clop and RansomHub, both of which notably disappeared from the top 10 most active ransomware groups in Q2. Experts from NCC Group suggest that these disruptions created a “ripple effect” within the ransomware ecosystem, compelling affiliates to either regroup or migrate to newer, emerging ransomware groups. The effectiveness of these law enforcement interventions highlights a growing capacity to impact the financial and operational infrastructure of cybercriminal organizations.
Beyond law enforcement pressure, internal conflicts and information leaks within ransomware groups also played a significant role in the observed slowdown. For instance, in May, sensitive insider information from the notorious LockBit group was leaked, potentially compromising their operations. Furthermore, the report highlighted a “turf war” between DragonForce and rival ransomware operators, with DragonForce appearing to be responsible for RansomHub’s infrastructure outage in late March 2025. These internal strife and sabotage efforts likely contributed to operational inefficiencies and a reduction in overall attack volume.
Seasonal slowdowns due to global holidays such as Easter and Ramadan in Q2 were also identified as a possible, albeit lesser, contributing factor.
Despite the overall decrease in attacks, the ransomware market is becoming more fragmented, with a record number of new and existing active attack groups emerging in 2025, already tracking 86 groups. Qilin emerged as the most active ransomware group in Q2, claiming 151 attacks, or 13% of the total, a significant increase from its 95 attacks in Q1. Akira followed with 131 attacks, then Play (115) and SafePay (108). SafePay, a relatively new group first observed in September 2024, garnered significant attention in May with 70 claimed attacks and has been linked to established actors like LockBit and BlackCat. This proliferation of attackers, as noted by NCC Group’s Matt Hull, indicates a broader range of attack methods that businesses must prepare for, despite the current lull in overall attack numbers.
The industrials sector bore the brunt of attacks in Q2, accounting for 30% of the total with 353 incidents. Consumer discretionary followed with 251 attacks, making up 21%, with retail businesses being particularly targeted within this sector. Information technology (10%), healthcare (8%), and financial services (6%) completed the top five most targeted industries. This data underscores the continued vulnerability of critical sectors to evolving ransomware threats, even as the overall landscape shifts.
Reference:
