5% of observed ransomware victims in Q2 2025 were based in Canada.

The US remained the most targeted country by ransomware, accounting for 67% of the total organizations named on ransomware data-leak sites in Q2.

Spain and other Spanish-speaking countries each accounted for less than 4% of Qilin's total victim volume in Q2.

DragonForce emergence: December 2023.

DragonForce activity was up 119% between Q1 and Q2 2025.

Lynx experienced a 41% drop in activity between Q1 and Q2 2025.

80% of the organizations named by Qilin in Q2 were based in the US.

Qilin showed an 80% increase in activity in Q2 compared to Q1 2025.

Akira has already listed 15% more victims in the first half of 2025 than it did throughout the entirety of 2024.

Germany rose to second most targeted country by ransomware in Q2 2025, climbing two spots from fourth in Q1 2025.

Q2 2025 saw a 31% decrease in named ransomware victims compared to the previous quarter, marking a return to more typical levels.

In Q1 2025, Clop named 389 victims on its data-leak site in February alone.

SafePay's activity increased by 42% in Q2 2025 compared to Q1 2025.

Akira listed approximately 130 organizations to its data-leak site each quarter in 2025.

LockBit named just 24 organizations on its data-leak site in Q2 2025. This figure represents only 11% of its Q2 2024 victim count.

Retail trade accounted for only 4% of total ransomware victims in Q2 2025.

Construction was the third most targeted sector by ransomware in Q2 2025.

Akira showed a 348% rise in the number of organizations named in Q2 2025 compared to the same period last year.

Qilin emerged as the top ransomware threat in Q2 2025.

Almost 40% of ransomware attacks in the US targeted the education sector