New Cyble data released Tuesday found that Qilin led ransomware activity for the third time in four months, capitalizing on the fall of RansomHub to claim the most victims on its data leak site. In July, Qilin hit 73 victims, about 17% of the total 423 reported attacks. Trailing behind, INC Ransom ranked second with 59 victims, fueled by a spike in attacks targeting critical infrastructure and a rise in public disclosures. Other groups continue to shift and adapt, keeping the threat landscape dynamic.
In its ‘Ransomware Landscape July 2025’ update, Cyble reported that the U.S. was by far the most attacked country once again, its 223 victims, eight times greater than second-place Canada. “July’s totals marked the third consecutive monthly increase in ransomware victims, following a three-month downtrend that began after February saw a record 854 attacks. 2025’s lowest point (402 attacks in May) remains well above the low points of 2023 (161 in January 2023) and 2024 (243 in January 2024), suggesting that the long-term uptrend remains intact despite claimed victims being half of February’s record, which was driven by a high number of CL0P and RansomHub victims.”
Cyble researchers noted 25 possible critical infrastructure ransomware incidents in July, targeting sectors such as government and law enforcement, energy and utilities, and telecommunications. An additional 20 incidents were noted as involving possible supply chain impact because of application software provided to other sectors. July also saw nearly 40 new ransomware variants and several new threat groups.
Data showed that professional services were the most targeted industry by ransomware groups in July 2025, with 57 attacks. Construction followed closely with 54 attacks, and manufacturing came next with 39. Healthcare sector faced 30 attacks, while the IT and ITES industries saw 24 incidents. Government and law enforcement agencies experienced 21 attacks, BFSI (banking, financial services, and insurance) had 20, and both food and beverages and organizations faced 17 attacks each. Education was the least targeted among the top ten, with 15 ransomware incidents reported.
Europe was the second most attacked region after North America, with Italy, the U.K., Germany, France, and Spain accounting for the highest number of victims. In the APAC region, Thailand, Japan, and Singapore each had six ransomware victims, followed by India and the Philippines. In EMEA, Turkey and Saudi Arabia suffered the most attacks, while Australia remains the dominant target in the ANZ region with five attacks.
Cyble noted that ransomware groups were once again able to compromise many high-value targets in July, and several attacks had supply chain and national defense implications. The SafePay ransomware group claimed responsibility for a cyberattack on a major U.S.-based global technology and supply chain services provider. The group alleged the theft of 3.5 terabytes of data, and the resulting operational disruption impacted key systems, including distribution, licensing, transaction systems, and API infrastructure.
The Akira ransomware group claimed responsibility for breaching a U.S.-based defense contractor that provides mission-critical support and engineering services to federal agencies. The group stated that the stolen data includes corporate information, around 200 scans of passports and driver’s licenses, documents containing personal information, NDAs, and various contracts and agreements.
INC Ransom group claimed responsibility for cyberattacks targeting a U.S.-based company that develops building automation systems for critical infrastructure and commercial environments, a U.S.-based provider of advanced power transmission and distribution solutions, a Canadian firm specializing in underwater infrastructure inspections and maintenance for industries such as hydro, nuclear, oil and gas, utilities, and public infrastructure, and a Canadian-based managed service provider (MSP) offering IT and cybersecurity services.
The Warlock ransomware group leaked data allegedly stolen from an India-based manufacturing company. A preliminary review of the posted file tree suggests the exfiltrated data includes HR records, financial files, backup folders, and internal directories such as design software archives and employee data repositories.
The DevMan ransomware group claimed full domain administrator access to a government agency in Thailand. The threat actor deployed a Group Policy Object (GPO) from the domain controller to spread the ransomware payload throughout the environment, and also claimed to compromise a backup domain controller running Windows Server 2008. DevMan rebranded itself as DevMan 2.0, launched a new data leak site (DLS), and named two Japanese technology companies as victims.
July saw significant activity in ransomware, with new groups, variants, and tactics emerging. BEAST, a RaaS (Ransomware-as-a-Service) group that surfaced in February, has launched a Tor-based data leak site listing 16 victims across the U.S., Europe, Asia, and Latin America. The site uses different email addresses for each victim, indicating that negotiations are managed by affiliates who carry out the network encryption.
The rising group D4RK4RMY introduced a dark web leak site and claimed multiple attacks. It rolled out a new RaaS model that pays a base salary plus 50% of ransom proceeds, operating through an invite-only structure with tiered memberships. The group is also seeking partnerships with Initial Access Brokers. Payouts King, another new threat actor with a Tor leak site, lists 13 victims but claims it does not use a RaaS model or accept affiliates.
Sinobi, a fresh player with a Tor leak site, targeted a U.S.-based financial services firm. Sinobi’s site closely mirrors the Lynx ransomware group’s layout and writing style, suggesting a link. Lynx is believed to have originated from INC Ransom. AiLock ransomware, first seen in March 2025, uses a RaaS model and appends ‘[dot]AiLock’ to encrypted files. It employs multithreaded encryption via I/O Completion Ports to separate path traversal and encryption, boosting speed. AiLock combines ChaCha20 for file content with NTRUEncrypt for metadata and uses evasion tactics like API obfuscation, dynamic loading, and selective encryption based on file size.
KaWaLocker (also KaWa4096), identified in June, uses hybrid ChaCha20 and Curve25519 encryption, adds a random 9-character suffix to filenames, and leaves a ransom note. Victims face file encryption and threats of data exposure. The ransomware includes anti-analysis measures like checks for debugging or virtual environments, and deletes Volume Shadow Copies via ‘vssadmin’ or ‘wmic’ to block recovery.
DeadLock, a newly spotted variant, operates strictly under an encryption-only extortion model. It issues ransom notes but does not threaten data leaks or disclose theft, focusing solely on encrypting systems and demanding payment for decryption. Crux, another recent variant, appends the [dot]crux extension and drops ransom notes. It runs via svchost.exe, disables Windows recovery using bcdedit.exe, and encrypts system files, likely to evade detection by using trusted system binaries. It may be linked to the BlackByte RaaS ecosystem, though this remains unconfirmed.
Gunra ransomware has expanded to Linux with a new variant, marking a shift to cross-platform attacks. This Linux version supports up to 100 parallel encryption threads, well above typical ransomware, and allows partial file encryption for greater control. It uses a hybrid ChaCha20 + RSA encryption scheme and can store RSA keys separately rather than embedding them. Unlike most ransomware, it does not drop a ransom note, focusing entirely on stealth and speed.
In conclusion, Cyble noted that ransomware groups can be counted on to continually evolve, and security teams must prepare for these evolving threats. With the finances and motivation to support ongoing research and development, they can be counted on to evolve.
“Developing cyber resilience is critical,” the post added. “Best practices include segmentation of critical assets, zero trust principles, immutable backups, hardened endpoints and infrastructure, a risk-based vulnerability management program, endpoint, network, and cloud monitoring, and a well-rehearsed incident response plan.”
