There were 75 active ransomware groups in Q2, a slight increase from 74 in Q1. However, the number of attacks per group has dropped from 33.2 to 19.8. This could reflect shifts in law enforcement pressure, infrastructure disruptions, or changes in attacker strategy.
With 176 attacks, Qilin has overtaken Cl0p as the most active ransomware group. It is followed by Akira (139 attacks), Play (124 attacks), Safepay (101 attacks), and Dragonforce (73 attacks).
Cl0p has now dropped from the list of most active ransomware groups, following intense activity in early 2025 and a sharp decline since March. This highlights the cyclical and opportunistic nature of ransomware group activity.
Qilin has been steadily growing throughout the first half of 2025, indicating an expansion of operational capacity and increased aggressiveness in target selection. Qilin’s sustained growth demonstrates how some ransomware groups expand their reach even as overall attacks decline, highlighting the group’s rise as a dominant threat actor.
Manufacturing (157 attacks, approximately one every 13.6 hours), technology (136 attacks, approximately one every 16 hours), and healthcare (95 attacks, approximately one every 22.5 hours) were the most targeted industries in Q2.
Although healthcare experiences fewer attacks than some other sectors, each incident can cause significant harm, including care delays, outages, and regulatory issues. Persistent attacks on healthcare highlight its vulnerability stemming from the urgency of its operations, the sensitivity of its data, and the prevalence of outdated systems. Attackers often exploit this vulnerability with double extortion, forcing organizations to pay quickly to avoid disruptions.
While Q2 2025 saw a decrease in overall attacks, it also revealed more complex tactics, tools, and targeting methods employed by attackers. As ransomware continues to evolve, organizations must remain proactive, adaptable, and informed to defend effectively.
CyberMaxx’s cyber research team regularly investigates threats independently. These efforts aim to build shared knowledge across the cybersecurity community.
Access the full Ransomware Research Report here:
About CyberMaxx
CyberMaxx, LLC., founded in 2002, is the leading provider of managed detection and response (MDR), headquartered in Chicago, IL. CyberMaxx’s managed detection and response solution (MaxxMDR) is designed to be scalable for clients of all sizes, providing protection and improving the organization’s security posture, ultimately giving customers peace of mind that their systems and data are secure. CyberMaxx expanded its capabilities through the 2022 acquisition of CipherTechs, an international cybersecurity company providing a complete cybersecurity portfolio across MDR Services, Offensive Security, Governance, Risk & Compliance, DFIR, and 3rd party security product sourcing.
Media Contact
John Pinkham, CyberMaxx, 1 7818015352, [email protected]
SOURCE CyberMaxx
