New data from Check Point Software Technologies shows that ransomware is evolving rather than disappearing. Its Q2 2025 Ransomware Report highlights that the threat landscape is fragmenting, as established players like Qilin and DragonForce are expanding their tactics with AI-powered tools and aggressive affiliate recruitment, while groups such as Hunters International are abandoning file encryption in favor of stealthier, data-only extortion. Overall, victim disclosures fell six percent compared to the 12-month average, yet activity from Qilin doubled, reflecting new pressure tactics.
In its Q2 2025 Ransomware Report, Check Point detailed that law enforcement actions, declining ransom payments, and evolving attacker strategies have pushed several major groups offline, leading to the first drop in publicly disclosed ransomware victims in over a year. AI is increasingly embedded across operations, from negotiation tools to content generation. Healthcare remains a prime target, with INC Ransom accounting for nearly 17% of attacks on hospitals and clinics in the quarter.
This comes as attackers are combining AI with traditional extortion tactics. Drawing on leak site data and threat intelligence, the report analyzes how ransomware is evolving and outlines the steps defenders need to take to stay ahead. Adversaries are increasingly using AI to automate communications and enhance social engineering efforts. In addition, attackers are shifting focus from encryption to exfiltration, using stolen data as the primary weapon.
Data revealed that in the second quarter, ransomware victim locations primarily follow established patterns, with the U.S. representing about 50% of reported cases, and high victim counts in other developed Western countries due to their holding valuable data, and having the ability to pay ransoms.
Check Point detailed that global law enforcement pressure has disrupted the ransomware supply chain through coordinated takedowns and infrastructure seizures targeting initial access malware. In May alone, authorities dismantled around 300 servers worldwide, shut down 650 domains, and issued arrest warrants for 20 suspects. At the same time, reduced profitability has become a major factor in the disruption.
New regulations banning ransom payments, combined with decreasing trust in decryption tools and improved backup strategies, have driven global payment rates to historic lows, estimated at 25 to 27%. For many groups, encryption-based ransomware is no longer worth the risk. High-profile exits and strategic retreats are also contributing to the shift. Some threat actors are publicly distancing themselves from high-risk targets or encryption tactics, while others have simply vanished, coinciding with a decline in fake or low-quality campaigns designed to pressure victims into paying.
The data highlighted that the decline is reflected in publicly posted victims, as 1,607 victims were listed across more than 75 monitored data leak sites in the second quarter, down from 2,289 in the first quarter, though still higher than the 1,270 recorded in the second quarter of last year.
Check Point observed that the decline of major RaaS groups does not signal the end of ransomware. Instead, it has made the threat less predictable, with attacks coming from a wider and more dispersed range of actors. The current ransomware landscape is less centralized, with power spread across numerous smaller groups. It is harder to track, as affiliates frequently shift between brands or operate independently.
At the same time, the ecosystem remains active, with new actors quickly filling any gaps. For defenders, this means threat models must be updated. Relying solely on reputation-based indicators or legacy IOCs (Indicators of Compromise) tied to well-known groups is no longer sufficient.
During the quarter, ransomware group dynamics shifted dramatically. While some actors doubled down on brand-building and innovation, others evolved their business models or refined sector-specific targeting.
Qilin’s rapid rise this quarter reflects a broader shift across the ransomware ecosystem. Following RansomHub’s exit, Qilin expanded aggressively and provided its affiliates with a suite of high-pressure extortion tools. These included integrated DDoS attacks designed to disrupt victims’ operations, regulatory complaint toolkits for filing reports with tax, legal, and government bodies, and corporate spam campaigns targeting executives and IT departments. The group also deployed media content, likely generated with AI, to impersonate journalists and conduct negotiations at scale.
Check Point reported that DragonForce demonstrates the growing professionalism of ransomware with its new ‘ransomware cartel’ model, which allows affiliates to operate semi-independently under their brands while using DragonForce’s infrastructure. Affiliates gain access to DragonForce’s tools but carry out attacks under their branding.
The group has implemented selective targeting policies, publicly prohibiting attacks on healthcare and emphasizing financial objectives to maintain a businesslike image. DragonForce’s influence is also visible in the cybercriminal ecosystem, with the Ramp forum incorporating its logo. In addition, the group is aggressively recruiting former RansomHub affiliates to increase its victim count.
Among other adversaries to watch, Check Point highlighted Hunters International, which, after fully shifting to data-only extortion, launched the World Leaks platform and adopted more covert tactics. The group sends private notifications to executives and board members, avoids encryption and endpoint disruption, and has released retroactive decryption keys for past victims.
Check Point noted that the ransomware threat landscape is increasingly shaped by multi-vector extortion, including DDoS attacks, legal threats, and public relations pressure. Brand-based RaaS models have dispersed power across smaller groups, and selective targeting is used to manage optics and reputational risks. Healthcare and public sector organizations remain particularly vulnerable. Security teams must prepare for extortion campaigns that combine operational, legal, reputational, and psychological pressure, often occurring without any file encryption.
Safepay continues to focus heavily on Germany, which was responsible for nearly 40% of the 76 victims the group reported there in the second quarter. Akira focuses on Italy, with 10% of its victims coming from Italian firms compared to just 3% in the general ransomware ecosystem. Meanwhile, Satanlock targets Brazil, where 14% of its victims are based.
In the second quarter of 2025, Check Point reported that ransomware impacted a broad range of industries, with no single sector being predominantly targeted. However, some sectors attract more attention from attackers due to their inherently sensitive data and the potential for a high-impact disruption.
The healthcare industry remains a prime target, comprising nearly 8% of all victims because of its valuable patient data and critical services. In contrast, the government and education sectors see fewer attacks, a trend likely influenced by lower ransom payment prospects and potential government protections. Meanwhile, industries including manufacturing, construction, engineering, and finance experienced an uptick in their percentage of ransomware attacks since the first quarter of 2025.
The research notes that understanding geographic and industry targeting trends is crucial for organizations to effectively prioritize their cyber defenses. Organizations operating within the United States and Western Europe must remain particularly vigilant due to the consistently high volume of attacks directed at these regions. Healthcare providers, as prime targets, need to develop and implement tailored security strategies specifically designed to protect sensitive patient data and ensure operational continuity in the face of an attack.
Furthermore, the rise of emerging ransomware groups with strong regional focuses necessitates that all organizations incorporate geographically informed threat intelligence into their response plans.
In the second quarter, Check Point reported that AI tools became deeply embedded in attackers’ workflows, helping them move faster, target smarter, and evade detection more effectively than ever before. AI supports attackers by rapidly processing stolen data to identify high-value targets within victim organizations. It also enhances malware development, enabling malicious software to bypass traditional antivirus and behavior-based security tools. Additionally, AI is used for social engineering to generate phishing emails or deepfake audio and video, facilitating initial access or privilege escalation.
Looking ahead, the Check Point research identified that as ransomware groups continue to integrate AI, defenders can expect an escalation in the AI arms race. Attacks will feature increased automation throughout the attack lifecycle, more personalized and adaptive extortion campaigns, and advanced evasion techniques that challenge existing security controls. Also, organizations must focus on proactive investment in AI-driven defense tools, continuous monitoring, and cross-sector intelligence sharing are critical for addressing these emerging threats.
Check Point recommends utilizing external risk management for prevention and mitigation. Implementing a proactive approach allows organizations to detect malicious activities before they begin or during their initial stages, significantly limiting potential damage. As ransomware threats and their methodologies grow in sophistication, relying on comprehensive intelligence and early intervention becomes crucial to combating this pervasive risk.
