The number of ransomware attacks that were observed and tracked during the first six months of 2025 was up by 179% – almost three times – on the same period in 2024, according to statistics published by threat intelligence platform provider Flashpoint.
The past year has seen significant turnover among cyber criminal threat actors with previously-feared names such as LockBit – famously taken down by cyber cops – and ALPHV/BlackCat no longer the forces they once were.
The past year has also seen a pivot among some ransomware actors to extortion without encryption. In such attacks, a victim’s systems are attacked in the usual way – normally through social engineering or an unpatched software vulnerability – and their data stolen, but not ever encrypted.
This sort of attack is becoming a significant threat because it drastically lowers the barriers to entry from a technical perspective, both for the core ransomware operators who save on time and effort, and their less-adept affiliates. This trend started to emerge during 2024 and shows no signs of dying out.
“Multiple groups appear to prefer a pure extortion play. Ransomware groups will traditionally encrypt files before exfiltrating them, charging for both the decryption key and to prevent data from being leaked,” said the FlashPoint team.
“[However] extortion groups like World Leaks, previously known as Hunter’s International, ransoms without encryption. Additionally, RansomHub has been observed occasionally employing this tactic, as well as emerging groups like Weyhro,” they said.
Meanwhile, generative artificial intelligence (GenAI) is also starting to be used by some – albeit not many gangs, again as a means of relieving ransomware gangs of some of the more burdensome tasks they face, such as developing phishing templates.
At the time of writing, few high-profile operators are using large language models (LLMs) in their tooling, but Funksec, which emerged at the end of 2024 and may have had a hand in the development of the WormGPT model, may be one to watch.
“It is possible that additional groups will integrate the use of LLMs or chatbots within their operations,,” said the FlashPoint team.
Other operational and technical changes observed by the FlashPoint team include a growing number of attacks in which ransomware gangs recycle previous ransomware victims from other groups, with data often appearing on other forums long after the event itself.
Most active gangs
The most active ransomware actors observed during the first six months of 2025 were Akira, which carried out 537 attacks, Clop/Cl0p, with 402, Qilin, with 345, Safepay Ransomware, with 233, and RansomHub, with 231.
However, there are several other groups that are worth watching. For UK-based organisations DragonForce will now be a familiar name thanks to its use against the likes of Marks & Spencer and Co-op Group in high-profile cyber attacks.
In terms of ransomware victimology, organisations in the United States continue to be the most frequently targeted, accounting for 2,160 attacks tracked by FlashPoint, outpacing second-placed Canada – with 249 attacks – by a runaway margin. FlashPoint tracked 154 attacks in Germany and 148 in the UK, followed by Brazil, Spain, France, India and Australia.
The manufacturing and technology sectors appear to provide the most lucrative payouts for ransomware gangs, accounting for 22% and 18% of all attacks, followed by retail at 13%, healthcare at 9%, and business services and consulting at 8%.
