There has been a 45% year-over-year rise in active ransomware groups.

In Q1 2025, Clop named 389 victims on its data-leak site in February alone.

LockBit named just 24 organizations on its data-leak site in Q2 2025. This figure represents only 11% of its Q2 2024 victim count.

Qilin emerged as the top ransomware threat in Q2 2025.

80% of the organizations named by Qilin in Q2 were based in the US.

Construction was the third most targeted sector by ransomware in Q2 2025.

Akira listed approximately 130 organizations to its data-leak site each quarter in 2025.

Lynx experienced a 41% drop in activity between Q1 and Q2 2025.

Q2 2025 saw a 31% decrease in named ransomware victims compared to the previous quarter, marking a return to more typical levels.

Retail trade accounted for only 4% of total ransomware victims in Q2 2025.

The US remained the most targeted country by ransomware, accounting for 67% of the total organizations named on ransomware data-leak sites in Q2.

Akira has already listed 15% more victims in the first half of 2025 than it did throughout the entirety of 2024.

Qilin showed an 80% increase in activity in Q2 compared to Q1 2025.

Germany rose to second most targeted country by ransomware in Q2 2025, climbing two spots from fourth in Q1 2025.

DragonForce activity was up 119% between Q1 and Q2 2025.

Akira showed a 348% rise in the number of organizations named in Q2 2025 compared to the same period last year.

Spain and other Spanish-speaking countries each accounted for less than 4% of Qilin's total victim volume in Q2.

DragonForce emergence: December 2023.

SafePay's activity increased by 42% in Q2 2025 compared to Q1 2025.

Yearly data from 2024 shows that while ransomware attacks and the number of active gangs have grown, ransom payments saw a significant drop