Ransomware Groups
We've curated 19 cybersecurity statistics about Ransomware groups to help you understand how these organized cybercriminals are evolving their tactics, targeting vulnerabilities, and leveraging advanced technologies to hold businesses hostage in 2025.
Related Topics
Showing 1-19 of 19 results
38% of publicly disclosed ransomware incidents were not attributed to any known group in Q1 2026.
Among undisclosed ransomware attacks in Q1 2026, Qilin led with 339 attacks (16%), The Gentlemen 200 attacks (9%), and Akira 190 attacks (9%).
Among publicly disclosed attacks, Qilin was responsible for 22 attacks (8%), ShinyHunters 16 attacks (6%), and INC 11 attacks (4%).
The Gentlemen claimed 273 attacks since its emergence in 2025 through the end of Q1 2026.
129 ransomware groups were active during 2025.
Qilin claimed the most victims in 2025 (835), followed by Akira (650), Cl0p (517), Play (363), INC (334), Safepay (306), Lynx (253), RansomHub (233), DragonForce (181), and Babuk (176).
2025 ransomware market share by group: Qilin (23%), Akira (18%), Cl0p (14%), Play (10%), INC (9%), Safepay (8%), Lynx (7%), RansomHub (6%), DragonForce (5%).
Active ransomware and extortion groups increased by 49% year over year.
The Akira ransomware group was linked to 776 total recorded attacks in 2025.
Fifty-two new ransomware groups emerged in 2025, a 9% increase compared to 2024.
A total of 130 different ransomware groups carried out attacks in 2025.
The INC ransomware group claimed 66 victims in undisclosed activity in 2025.
The Qilin ransomware group claimed 1,115 victims in 2025, making it the most active ransomware group across disclosed and undisclosed attacks.
The top five ransomware groups — Qilin, Clop, Akira, Play, and SafePay — were responsible for 938 incidents, accounting for nearly 25% of all ransomware attacks in 2025.
Qilin was responsible for 248 incidents, Clop for 246 incidents, Akira for 209 incidents, Play for 120 incidents, and SafePay for 115 incidents in 2025.
Out of 103 active ransomware groups, five groups accounted for nearly 25% of global ransomware incidents.
In 2025, 77.7% of ransomware attacks were attributed to other actors outside the top five groups.
In 2025, there were 103 distinct ransomware threat actors observed targeting critical infrastructure.
In 2025, 5.9% of ransomware attacks were attributed to Qilin, 5.9% to Clop, 5.0% to Akira, 2.9% to Play, and 2.7% to SafePay.